We use cookies to improve your experience on our site.
AVID-2026-R1625
Description
Ansible-core: exposure of sensitive information in ansible vault files due to improper logging (CVE-2024-8775)
Details
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
Reason for inclusion in AVID: CVE-2024-8775 describes exposure of sensitive data in Ansible Vault files due to improper logging in Ansible-core. While not AI-specific, Ansible is widely used to deploy and manage AI/ML infrastructures and pipelines (orchestrating deployment, configuration, and runtime environments). A leak of secrets during automation can compromise AI system deployment/build processes, making it a software supply-chain concern for general-purpose AI systems. It is a vulnerability (privacy/confidentiality impact) in a software component commonly used in AI stacks. The report provides explicit evidence (CVE description, CVSS, and references).
References
- NVD entry
- https://access.redhat.com/errata/RHSA-2024:10762
- https://access.redhat.com/errata/RHSA-2024:8969
- https://access.redhat.com/errata/RHSA-2024:9894
- https://access.redhat.com/errata/RHSA-2025:1249
- https://access.redhat.com/security/cve/CVE-2024-8775
- https://bugzilla.redhat.com/show_bug.cgi?id=2312119
- https://github.com/advisories/GHSA-jpxc-vmjf-9fcj
Affected or Relevant Artifacts
- Developer: Red Hat
- Deployer: Red Hat
- Artifact Details:
| Type | Name |
|---|---|
| System | Ansible Automation Platform Execution Environments |
| System | Ansible Automation Platform Execution Environments |
| System | Ansible Automation Platform Execution Environments |
| System | Ansible Automation Platform Execution Environments |
| System | Ansible Automation Platform Execution Environments |
| System | Discovery 1 for RHEL 9 |
| System | Discovery 1 for RHEL 9 |
| System | Red Hat Ansible Automation Platform 2.4 for RHEL 8 |
| System | Red Hat Ansible Automation Platform 2.4 for RHEL 9 |
| System | Red Hat Ansible Automation Platform 2.5 for RHEL 8 |
| System | Red Hat Ansible Automation Platform 2.5 for RHEL 9 |
| System | Red Hat Enterprise Linux 10 |
| System | Red Hat Enterprise Linux AI (RHEL AI) |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Base Score | 5.5 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-532 | Insertion of Sensitive Information into Log File |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-14
- Version: 0.3.3
- AVID Entry