- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3963-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien Roucariès
November 23, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : ansible
Version        : 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2
CVE ID         : CVE-2024-8775 CVE-2024-9902
Debian Bug     : 1082851

Ansible is a command-line IT automation software application.
It can configure systems, deploy software, and orchestrate
advanced workflows to support application deployment, system updates, ...

Ansible was affected by two vulnerabilities:

CVE-2024-8775

    A flaw was found in Ansible, where sensitive information stored in
    Ansible Vault files can be exposed in plaintext during the execution
    of a playbook. This occurs when using tasks such as include_vars to
    load vaulted variables without setting the no_log: true parameter,
    resulting in sensitive data being printed in the playbook output or
    logs. This can lead to the unintentional disclosure of secrets like
    passwords or API keys, compromising security and potentially
    allowing unauthorized access or actions.

CVE-2024-9902

    The ansible-core `user` module can allow an unprivileged user to
    silently create or replace the contents of any file on any system path
    and take ownership of it when a privileged user executes
    the `user` module against the unprivileged user's home directory.
    If the unprivileged user has traversal permissions on the directory
    containing the exploited target file, they retain full control
    over the contents of the file as its owner.

For Debian 11 bullseye, these problems have been fixed in version
2.10.7+merged+base+2.10.17+dfsg-0+deb11u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3963-1: ansible Security Advisory Updates

November 24, 2024
Ansible is a command-line IT automation software application

Summary

Ansible was affected by two vulnerabilities:

CVE-2024-8775

A flaw was found in Ansible, where sensitive information stored in
Ansible Vault files can be exposed in plaintext during the execution
of a playbook. This occurs when using tasks such as include_vars to
load vaulted variables without setting the no_log: true parameter,
resulting in sensitive data being printed in the playbook output or
logs. This can lead to the unintentional disclosure of secrets like
passwords or API keys, compromising security and potentially
allowing unauthorized access or actions.

CVE-2024-9902

The ansible-core `user` module can allow an unprivileged user to
silently create or replace the contents of any file on any system path
and take ownership of it when a privileged user executes
the `user` module against the unprivileged user's home directory.
If the unprivileged user has traversal permissions on the directory
containing the exploited target file, they retai...

Read the Full Advisory


Severity
Package : ansible
Version : 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2
CVE ID : CVE-2024-8775 CVE-2024-9902
Debian Bug : 1082851

Related News

Linux 6.11 EOL: Upgrade to 6.12 for Security and Performance Benefits
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Census III Report: Key Strategies for Linux Security Enhancement
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
Qt 6.8.1: Essential Fixes for Wayland and Security Issues
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Arch Linux 2024.12.01: Improved Hardware Support and Security Features
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Linux Kernel 6.13: Security Updates Enhance System Resilience
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Protect Linux Systems from Bootkitty: UEFI Bootkit Defense Strategies
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved