VYPR
Get started
← All advisories
Medium severity5.5NVD Advisory· Published Sep 14, 2024· Updated Apr 15, 2026

CVE-2024-8775

CVE-2024-8775

Description

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansible-corePyPI
>= 2.17.0b1, < 2.17.62.17.6
ansible-corePyPI
< 2.16.132.16.13

Patches

1
8a87e1c5d374

no_log avoid masking booleans (#82217) (#82235)

https://github.com/ansible/ansibleBrian CocaNov 27, 2023via ghsa
commit
4 files changed · +71 0
  • changelogs/fragments/no_log_booly.yml+2 0 added
    @@ -0,0 +1,2 @@
+bugfixes:
+  - module no_log will no longer affect top level booleans, for example ``no_log_module_parameter='a'`` will no longer hide ``changed=False`` as a 'no log value' (matches 'a').
  • lib/ansible/module_utils/basic.py+12 0 modified
    @@ -1489,7 +1489,19 @@ def _return_formatted(self, kwargs):
         if deprecations:
             kwargs['deprecations'] = deprecations
 
+        # preserve bools/none from no_log
+        # TODO: once python version on target high enough, dict comprh
+        preserved = {}
+        for k, v in kwargs.items():
+            if v is None or isinstance(v, bool):
+                preserved[k] = v
+
+        # strip no_log collisions
         kwargs = remove_values(kwargs, self.no_log_values)
+
+        # return preserved
+        kwargs.update(preserved)
+
         print('\n%s' % self.jsonify(kwargs))
 
     def exit_json(self, **kwargs):
  • test/integration/targets/module_no_log/library/module_that_has_secret.py+19 0 added
    @@ -0,0 +1,19 @@
+#!/usr/bin/python
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+def main():
+    module = AnsibleModule(argument_spec=dict(
+        secret=dict(no_log=True),
+        notsecret=dict(no_log=False),
+    ))
+
+    msg = "My secret is: (%s), but don't tell %s" % (module.params['secret'], module.params['notsecret'])
+    module.exit_json(msg=msg, changed=bool(module.params['secret'] == module.params['notsecret']))
+
+
+if __name__ == '__main__':
+    main()
  • test/integration/targets/module_no_log/tasks/main.yml+38 0 modified
    @@ -59,3 +59,41 @@
       # 2) the AnsibleModule.log method is not working
       - good_message in grep.stdout
       - bad_message not in grep.stdout
+
+- name: Ensure we do not obscure what we should not
+  block:
+    - module_that_has_secret:
+        secret: u
+        notsecret: u
+      register: ouch
+      ignore_errors: true
+
+    - name: no log wont obscure booleans when True, but still hide in msg
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' in ouch['msg']"
+
+    - module_that_has_secret:
+        secret: a
+        notsecret: b
+      register: ouch
+      ignore_errors: true
+
+    - name: no log wont obscure booleans when False, but still hide in msg
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' in ouch['msg']"
+
+    - module_that_has_secret:
+        secret: True
+        notsecret: False
+      register: ouch
+      ignore_errors: true
+
+    - name: no log does not hide bool values
+      assert:
+        that:
+          - ouch['changed'] is boolean
+          - "'*' not in ouch['msg']"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.