Miggo Logo
Miggo Vulnerability Database
CVE-2017-7550

CVE-2017-7550: Ansible Insertion of Sensitive Information into Log File vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2017-7550
GHSA ID
GHSA-588w-w6mv-3cw5
EPSS Score
0.6321%
CWE
CWE-532
Published
5/13/2022
Updated
9/4/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 2.4.0.0, < 2.4.1.02.4.1.0
ansiblepip>= 2.3.0.0, < 2.3.3.02.3.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the 'params' argument handling in both modules. The commit diff shows both modules previously had code that merged user-provided 'params' dict into module parameters without proper validation. This allowed attackers to inject sensitive parameters like passwords that would bypass Ansible's security controls (like no_log) and appear in logs. The removal of this 'params' handling in the patch confirms these were the vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in t** w*y *nsi*l* (*.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.*) p*ss** **rt*in p*r*m*t*rs to t** j*nkins_plu*in mo*ul*. R*mot* *tt**k*rs *oul* us* t*is *l*w to *xpos* s*nsitiv* in*orm*tion *rom * r*mot* *ost's lo*s. T*is *l*w w*s *ix

Reasoning

T** vuln*r**ility st*mm** *rom t** 'p*r*ms' *r*um*nt **n*lin* in *ot* mo*ul*s. T** *ommit *i** s*ows *ot* mo*ul*s pr*viously *** *o** t**t m*r*** us*r-provi*** 'p*r*ms' *i*t into mo*ul* p*r*m*t*rs wit*out prop*r v*li**tion. T*is *llow** *tt**k*rs to