VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 11, 2020· Updated Aug 4, 2024

CVE-2020-14330

CVE-2020-14330

Description

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansiblePyPI
< 2.10.02.10.0

Affected products

1

Patches

1
e0f25a2b1f9e

Strip no log values from module response keys. Fixes #68400 (#69653)

https://github.com/ansible/ansibleMatt MartzMay 21, 2020via ghsa
commit
4 files changed · +22 2
  • changelogs/fragments/68400-strip-no-log-values-from-keys.yml+2 0 added
    @@ -0,0 +1,2 @@
+bugfixes:
+- Strip no log values from module response keys (https://github.com/ansible/ansible/issues/68400)
  • lib/ansible/module_utils/basic.py+2 1 modified
    @@ -410,8 +410,9 @@ def remove_values(value, no_log_strings):
         old_data, new_data = deferred_removals.popleft()
         if isinstance(new_data, Mapping):
             for old_key, old_elem in old_data.items():
+                new_key = _remove_values_conditions(old_key, no_log_strings, deferred_removals)
                 new_elem = _remove_values_conditions(old_elem, no_log_strings, deferred_removals)
-                new_data[old_key] = new_elem
+                new_data[new_key] = new_elem
         else:
             for elem in old_data:
                 new_elem = _remove_values_conditions(elem, no_log_strings, deferred_removals)
  • test/integration/targets/uri/tasks/main.yml+12 0 modified
    @@ -544,6 +544,18 @@
     that:
       - result.json.json[0] == 'JSON Test Pattern pass1'
 
+- name: Make request that includes password in JSON keys
+  uri:
+    url: "https://{{ httpbin_host}}/get?key-password=value-password"
+    user: admin
+    password: password
+  register: sanitize_keys
+
+- name: assert that keys were sanitized
+  assert:
+    that:
+      - sanitize_keys.json.args['key-********'] == 'value-********'
+
 - name: Create a testing file
   copy:
     content: "content"
  • test/units/module_utils/basic/test_no_log.py+6 1 modified
    @@ -105,13 +105,18 @@ class TestRemoveValues(unittest.TestCase):
                 'three': [
                     OMIT, 'musketeers', None, {
                         'ping': OMIT,
-                        'base': [
+                        OMIT: [
                             OMIT, 'raquets'
                         ]
                     }
                 ]
             }
         ),
+        (
+            {'key-password': 'value-password'},
+            frozenset(['password']),
+            {'key-********': 'value-********'},
+        ),
         (
             'This sentence has an enigma wrapped in a mystery inside of a secret. - mr mystery',
             frozenset(['enigma', 'mystery', 'secret']),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.