Miggo Logo

CVE-2020-14330: Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.32347%
Published
2/9/2022
Updated
9/5/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip< 2.10.02.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from improper key sanitization in the logging/output pipeline. The commit diff shows:

  1. In basic.py's remove_values function, keys were previously not processed for no-log values (old_key was used directly).
  2. The patch adds new_key = _remove_values_conditions(old_key,...) to sanitize keys.
  3. Test cases demonstrate that keys like 'key-password' were previously leaked, and now become 'key-********'. This indicates the remove_values function was the primary point of failure due to incomplete key processing, while _remove_values_conditions was underutilized in key sanitization context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n Improp*r Output N*utr*liz*tion *or Lo*s *l*w w*s *oun* in *nsi*l* w**n usin* t** uri mo*ul*, w**r* s*nsitiv* **t* is *xpos** to *ont*nt *n* json output. T*is *l*w *llows *n *tt**k*r to ****ss t** lo*s or outputs o* p*r*orm** t*sks to r*** k*ys us*

Reasoning

T** *or* vuln*r**ility st*ms *rom improp*r k*y s*nitiz*tion in t** lo**in*/output pip*lin*. T** *ommit *i** s*ows: *. In **si*.py's r*mov*_v*lu*s *un*tion, k*ys w*r* pr*viously not pro**ss** *or no-lo* v*lu*s (ol*_k*y w*s us** *ir**tly). *. T** p*t