CVE-2020-14330: Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32347%
CWE
Published
2/9/2022
Updated
9/5/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | < 2.10.0 | 2.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability stems from improper key sanitization in the logging/output pipeline. The commit diff shows:
- In basic.py's remove_values function, keys were previously not processed for no-log values (old_key was used directly).
- The patch adds new_key = _remove_values_conditions(old_key,...) to sanitize keys.
- Test cases demonstrate that keys like 'key-password' were previously leaked, and now become 'key-********'. This indicates the remove_values function was the primary point of failure due to incomplete key processing, while _remove_values_conditions was underutilized in key sanitization context.