Skip to main content

Ansible CVE-2025-2877

MEDIUM
Debug Messages Revealing Unnecessary Information (CWE-1295)
2025-03-28 secalert@redhat.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
6.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 18:22 vuln.today
CVE Published
Mar 28, 2025 - 14:15 nvd
MEDIUM 6.5

DescriptionCVE.org

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

AnalysisAI

Ansible Automation Platform's Event-Driven Ansible exposes inventory passwords in plain text when debug verbosity is enabled during rulebook activation, affecting both standard debug actions and Event Streams configurations. Authenticated users with access to debug-enabled ruleebooks can retrieve plaintext credentials through logs or console output. With CVSS 6.5 and EPSS 0.26% (percentile 49%), this represents moderate severity; no active exploitation has been confirmed, but the low complexity and authenticated-only requirement (PR:L) make this a practical concern for organizations using debug-level logging in production environments.

Technical ContextAI

The vulnerability stems from CWE-1295 (Improper Neutralization of Sensitive Information in Logs), a root cause involving improper redaction or filtering of sensitive data during logging operations. Event-Driven Ansible, part of the Red Hat Ansible Automation Platform, processes rulebook activations and Event Streams configurations; when verbosity is set to debug level, the logging mechanism fails to mask credentials that are part of inventory definitions. This affects the rulebook execution engine's interaction with inventory management and credential handling, where plaintext passwords should be redacted before being written to debug output or console streams. The issue spans both standard debug actions and Event Streams integrations, indicating a systemic logging control gap rather than isolated code path.

Affected ProductsAI

Ansible Automation Platform Event-Driven Ansible is affected; specific version ranges are not detailed in provided references, but Red Hat has issued security advisories RHSA-2025:3636 and RHSA-2025:3637 indicating fixes are available. The vulnerability also impacts Event Streams configurations integrated with Event-Driven Ansible. An upstream fix is documented in ansible/ansible-rulebook pull request 767 on GitHub (https://github.com/ansible/ansible-rulebook/pull/767). Organizations should consult the Red Hat security advisories at https://access.redhat.com/errata/RHSA-2025:3636 and https://access.redhat.com/errata/RHSA-2025:3637 for precise affected versions and patch availability.

RemediationAI

Apply patches from Red Hat advisory RHSA-2025:3636 and RHSA-2025:3637 (https://access.redhat.com/errata/RHSA-2025:3636 and https://access.redhat.com/errata/RHSA-2025:3637) to update Ansible Automation Platform Event-Driven Ansible to a patched version. Until patching is complete, disable debug-level verbosity in production rulebook activations-use info or warning levels instead, restricting debug mode to isolated test environments. Implement log aggregation with automatic credential redaction rules (masking patterns for passwords, tokens, and API keys) and restrict direct console/log file access via file system permissions or role-based access controls to trusted operators only. Review Event Streams configurations for debug settings and align them with the same logging policies.

CVE-2019-10217 MEDIUM POC
6.5 Nov 25

A flaw was found in ansible 2.8.0 before 2.8.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit

CVE-2017-7550 CRITICAL
9.8 Nov 21

A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkin

CVE-2021-33924 CRITICAL
9.8 Sep 29

Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its a

CVE-2020-1733 MEDIUM POC
5.0 Mar 11

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a play

CVE-2014-3498 HIGH
8.8 Jun 08

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. Rated high seve

CVE-2020-1735 MEDIUM POC
4.6 Mar 16

A flaw was found in the Ansible Engine when the fetch module is used. Rated medium severity (CVSS 4.6), this vulnerabili

CVE-2015-6240 HIGH
7.8 Jun 07

The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environme

CVE-2016-3096 HIGH
7.8 Jun 03

The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local use

CVE-2023-5764 HIGH
7.8 Dec 12

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the u

CVE-2022-3697 HIGH
7.5 Oct 28

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2

CVE-2020-1736 LOW POC
3.3 Mar 16

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified

CVE-2020-25636 HIGH
7.1 Oct 05

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file t

Vendor StatusVendor

Share

CVE-2025-2877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy