Medium severity5.5NVD Advisory· Published Dec 4, 2025· Updated May 6, 2026

CVE-2025-14010

Description

A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	< 12.2.0	12.2.0

Affected products

Red Hat/Community.general
cpe:2.3:a:redhat:community.general:-:*:*:*:*:*:*:*
Red Hat/Red Hat Ceph Storage 5v5
cpe:/a:redhat:ceph_storage:5
Red Hat/Red Hat Ceph Storage 6v5
cpe:/a:redhat:ceph_storage:6
Red Hat/Red Hat Ceph Storage 7v5
cpe:/a:redhat:ceph_storage:7
Red Hat/Red Hat Ceph Storage 8v5
cpe:/a:redhat:ceph_storage:8
Red Hat/Red Hat OpenStack Platform 17.1v5
cpe:/a:redhat:openstack:17.1
Red Hat/Red Hat OpenStack Platform 18.0v5
cpe:/a:redhat:openstack:18.0
ansible-collections/Ansible Community General Collectionv5
Range: 7.1.0

Patches

08e56bbb9b57

Mark credentials[].value as no_log=True.

https://github.com/ansible-collections/community.generalFelix FonteinOct 28, 2025via ghsa

commit

2 files changed · +5 −1

changelogs/fragments/11005-keycloak_user.yml+4 −0 added

@@ -0,0 +1,4 @@
+security_fixes:
+  - "keycloak_user - the parameter ``credentials[].value`` is now marked as ``no_log=true``. Before it was logged by Ansible, unless the task was marked as ``no_log: true``.
+     Since this parameter can be used for passwords, this resulted in credential leaking
+     (https://github.com/ansible-collections/community.general/issues/11000, https://github.com/ansible-collections/community.general/pull/11005)."

plugins/modules/keycloak_user.py+1 −1 modified

@@ -355,7 +355,7 @@ def main():
     argument_spec['auth_username']['aliases'] = []
     credential_spec = dict(
         type=dict(type='str', required=True),
-        value=dict(type='str', required=True),
+        value=dict(type='str', required=True, no_log=True),
         temporary=dict(type='bool', default=False)
     )
     client_consents_spec = dict(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/security/cve/CVE-2025-14010nvdVendor AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-8ggh-xwr9-3373ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-14010ghsaADVISORY
github.com/ansible-collections/community.general/commit/08e56bbb9b57740a879d3057d84cdb02a162b840ghsaWEB
github.com/ansible-collections/community.general/issues/11000nvdWEB
github.com/ansible-community/ansible-build-data/blob/12.2.0/12/CHANGELOG-v12.mdghsaWEB
github.com/ansible-collections/community.general/pull/11005nvd
github.com/ansible-community/ansible-build-data/blob/main/12/CHANGELOG-v12.mdnvd

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000