VYPR
← All advisories
Moderate severityOSV Advisory· Published Feb 6, 2024· Updated Nov 6, 2025

Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration

CVE-2024-0690

Description

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible-core fails to respect the ANSIBLE_NO_LOG configuration in certain tasks, causing sensitive information like decrypted secrets to be included in output.

Vulnerability

Overview

CVE-2024-0690 is an information disclosure flaw in ansible-core. The root cause is a failure to respect the ANSIBLE_NO_LOG configuration setting in certain task scenarios, such as when processing loop items. As a result, sensitive information that should be suppressed from logs and output may still be exposed [1][2].

Exploitation and

Attack Surface

The vulnerability can be triggered through normal Ansible playbook execution where loop items are used. Any user or system that runs Ansible tasks with ANSIBLE_NO_LOG enabled could be affected. The issue does not require additional authentication beyond what is normal for Ansible operations, and the attack surface is present in environments where sensitive data (e.g., decrypted secrets) is handled in tasks [3].

Impact

An attacker who can observe Ansible execution output (such as logs or console output) could obtain confidential information. This includes decrypted secret values, passwords, or other data that the ANSIBLE_NO_LOG flag was intended to hide. The disclosure could lead to further compromise of systems or data [4].

Mitigation

Red Hat has released updated packages (see RHSA-2024:2246, RHSA-2024:0733, RHSA-2024:3043) to address this issue. Users are advised to update ansible-core to the latest patched version. No workarounds are documented, but ensuring Ansible logs are not exposed to untrusted viewers is a general best practice [2][4].

References
  1. https://access.redhat.com/errata/RHSA-2024:2246
  2. https://access.redhat.com/errata/RHSA-2024:0733
  3. cve-details
  4. https://access.redhat.com/errata/RHSA-2024:3043

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansible-corePyPI
< 2.14.142.14.14
ansible-corePyPI
>= 2.16.0, < 2.16.32.16.3
ansible-corePyPI
>= 2.15.0, < 2.15.92.15.9

Affected products

37

Patches

4
b9a03bbf5a63

[stable-2.16] Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82566)

https://github.com/ansible/ansibleMatt MartzJan 18, 2024via ghsa
commit
5 files changed · +21 5
  • changelogs/fragments/cve-2024-0690.yml+2 0 added
    @@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
  • lib/ansible/playbook/base.py+1 1 modified
    @@ -731,7 +731,7 @@ class Base(FieldAttributeBase):
 
     # flags and misc. settings
     environment = FieldAttribute(isa='list', extend=True, prepend=True)
-    no_log = FieldAttribute(isa='bool')
+    no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
     run_once = FieldAttribute(isa='bool')
     ignore_errors = FieldAttribute(isa='bool')
     ignore_unreachable = FieldAttribute(isa='bool')
  • lib/ansible/playbook/play_context.py+0 4 modified
    @@ -318,10 +318,6 @@ def set_task_and_variable_override(self, task, variables, templar):
             display.warning('The "%s" connection plugin has an improperly configured remote target value, '
                             'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
 
-        # set no_log to default if it was not previously set
-        if new_info.no_log is None:
-            new_info.no_log = C.DEFAULT_NO_LOG
-
         if task.check_mode is not None:
             new_info.check_mode = task.check_mode
  • test/integration/targets/no_log/no_log_config.yml+13 0 added
    @@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
  • test/integration/targets/no_log/runme.sh+5 0 modified
    @@ -19,3 +19,8 @@ set -eux
 
 # test invalid data passed to a suboption
 [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
78db3a3de6b4

[stable-2.15] Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82567)

https://github.com/ansible/ansibleMatt MartzJan 18, 2024via ghsa
commit
5 files changed · +21 5
  • changelogs/fragments/cve-2024-0690.yml+2 0 added
    @@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
  • lib/ansible/playbook/base.py+1 1 modified
    @@ -731,7 +731,7 @@ class Base(FieldAttributeBase):
 
     # flags and misc. settings
     environment = FieldAttribute(isa='list', extend=True, prepend=True)
-    no_log = FieldAttribute(isa='bool')
+    no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
     run_once = FieldAttribute(isa='bool')
     ignore_errors = FieldAttribute(isa='bool')
     ignore_unreachable = FieldAttribute(isa='bool')
  • lib/ansible/playbook/play_context.py+0 4 modified
    @@ -318,10 +318,6 @@ def set_task_and_variable_override(self, task, variables, templar):
             display.warning('The "%s" connection plugin has an improperly configured remote target value, '
                             'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
 
-        # set no_log to default if it was not previously set
-        if new_info.no_log is None:
-            new_info.no_log = C.DEFAULT_NO_LOG
-
         if task.check_mode is not None:
             new_info.check_mode = task.check_mode
  • test/integration/targets/no_log/no_log_config.yml+13 0 added
    @@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
  • test/integration/targets/no_log/runme.sh+5 0 modified
    @@ -19,3 +19,8 @@ set -eux
 
 # test invalid data passed to a suboption
 [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
beb04bc2642c

[stable-2.14] Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565) (#82568)

https://github.com/ansible/ansibleMatt MartzJan 18, 2024via ghsa
commit
5 files changed · +21 5
  • changelogs/fragments/cve-2024-0690.yml+2 0 added
    @@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
  • lib/ansible/playbook/base.py+1 1 modified
    @@ -722,7 +722,7 @@ class Base(FieldAttributeBase):
 
     # flags and misc. settings
     environment = FieldAttribute(isa='list', extend=True, prepend=True)
-    no_log = FieldAttribute(isa='bool')
+    no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
     run_once = FieldAttribute(isa='bool')
     ignore_errors = FieldAttribute(isa='bool')
     ignore_unreachable = FieldAttribute(isa='bool')
  • lib/ansible/playbook/play_context.py+0 4 modified
    @@ -320,10 +320,6 @@ def set_task_and_variable_override(self, task, variables, templar):
             display.warning('The "%s" connection plugin has an improperly configured remote target value, '
                             'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
 
-        # set no_log to default if it was not previously set
-        if new_info.no_log is None:
-            new_info.no_log = C.DEFAULT_NO_LOG
-
         if task.check_mode is not None:
             new_info.check_mode = task.check_mode
  • test/integration/targets/no_log/no_log_config.yml+13 0 added
    @@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
  • test/integration/targets/no_log/runme.sh+5 0 modified
    @@ -19,3 +19,8 @@ set -eux
 
 # test invalid data passed to a suboption
 [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]
6935c8e30344

Ensure ANSIBLE_NO_LOG is respected (CVE-2024-0690) (#82565)

https://github.com/ansible/ansibleMatt MartzJan 18, 2024via ghsa
commit
5 files changed · +21 5
  • changelogs/fragments/cve-2024-0690.yml+2 0 added
    @@ -0,0 +1,2 @@
+security_fixes:
+- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
  • lib/ansible/playbook/base.py+1 1 modified
    @@ -730,7 +730,7 @@ class Base(FieldAttributeBase):
 
     # flags and misc. settings
     environment = FieldAttribute(isa='list', extend=True, prepend=True)
-    no_log = FieldAttribute(isa='bool')
+    no_log = FieldAttribute(isa='bool', default=C.DEFAULT_NO_LOG)
     run_once = FieldAttribute(isa='bool')
     ignore_errors = FieldAttribute(isa='bool')
     ignore_unreachable = FieldAttribute(isa='bool')
  • lib/ansible/playbook/play_context.py+0 4 modified
    @@ -316,10 +316,6 @@ def set_task_and_variable_override(self, task, variables, templar):
             display.warning('The "%s" connection plugin has an improperly configured remote target value, '
                             'forcing "inventory_hostname" templated value instead of the string' % new_info.connection)
 
-        # set no_log to default if it was not previously set
-        if new_info.no_log is None:
-            new_info.no_log = C.DEFAULT_NO_LOG
-
         if task.check_mode is not None:
             new_info.check_mode = task.check_mode
  • test/integration/targets/no_log/no_log_config.yml+13 0 added
    @@ -0,0 +1,13 @@
+- hosts: testhost
+  gather_facts: false
+  tasks:
+    - debug:
+      no_log: true
+
+    - debug:
+      no_log: false
+
+    - debug:
+
+    - debug:
+      loop: '{{ range(3) }}'
  • test/integration/targets/no_log/runme.sh+5 0 modified
    @@ -19,3 +19,8 @@ set -eux
 
 # test invalid data passed to a suboption
 [ "$(ansible-playbook no_log_suboptions_invalid.yml -i ../../inventory -vvvvv "$@" | grep -Ec '(SUPREME|IDIOM|MOCKUP|EDUCATED|FOOTREST|CRAFTY|FELINE|CRYSTAL|EXPECTANT|AGROUND|GOLIATH|FREEFALL)')" = "0" ]
+
+# test variations on ANSIBLE_NO_LOG
+[ "$(ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=0 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "1" ]
+[ "$(ANSIBLE_NO_LOG=1 ansible-playbook no_log_config.yml -i ../../inventory -vvvvv "$@" | grep -Ec 'the output has been hidden')" = "6" ]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.