5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8775

GHSA ID

GHSA-jpxc-vmjf-9fcj

EPSS Score

0.05298%

CWE

CWE-532

Published

9/16/2024

Updated

2/24/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8775

CVE-2024-8775: Ansible vulnerable to Insertion of Sensitive Information into Log File

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8775

GHSA ID

GHSA-jpxc-vmjf-9fcj

EPSS Score

0.05298%

CWE

CWE-532

Published

9/16/2024

Updated

2/24/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ansible-core	pip	>= 2.17.0b1, < 2.17.6	2.17.6
ansible-core	pip	< 2.16.13	2.16.13

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of no_log values in result formatting. The commit diff shows critical changes in _return_formatted() where boolean/None values are preserved before no_log filtering and restored afterward. This indicates the original implementation's remove_values() call would mask booleans like changed=False if they matched no_log patterns (e.g., if a vault secret was 'False'), while failing to properly mask actual secrets. The associated tests in module_that_has_secret.py validate this fix by ensuring booleans remain visible while secrets are masked.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in *nsi*l*, w**r* s*nsitiv* in*orm*tion stor** in *nsi*l* V*ult *il*s **n ** *xpos** in pl*int*xt *urin* t** *x**ution o* * pl*y*ook. T*is o**urs w**n usin* t*sks su** *s in*lu**_v*rs to lo** v*ult** v*ri**l*s wit*out s*ttin* t** no_

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* no_lo* v*lu*s in r*sult *orm*ttin*. T** *ommit *i** s*ows *riti**l ***n**s in _r*turn_*orm*tt**() w**r* *ool**n/Non* v*lu*s *r* pr*s*rv** ***or* no_lo* *ilt*rin* *n* r*stor** **t*rw*r*. T*is in*i**t*s

5.5

Basic Information

Concerned about an active attack path?

CVE-2024-8775: Ansible vulnerable to Insertion of Sensitive Information into Log File

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI