CVE-2024-8775: Ansible vulnerable to Insertion of Sensitive Information into Log File
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.05298%
CWE
Published
9/16/2024
Updated
2/24/2025
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ansible-core | pip | >= 2.17.0b1, < 2.17.6 | 2.17.6 |
| ansible-core | pip | < 2.16.13 | 2.16.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of no_log values in result formatting. The commit diff shows critical changes in _return_formatted() where boolean/None values are preserved before no_log filtering and restored afterward. This indicates the original implementation's remove_values() call would mask booleans like changed=False if they matched no_log patterns (e.g., if a vault secret was 'False'), while failing to properly mask actual secrets. The associated tests in module_that_has_secret.py validate this fix by ensuring booleans remain visible while secrets are masked.