CVE-2024-0690: 
Ansible vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2024-0690) was discovered in ansible-core affecting versions prior to 2.14.4, 2.15.0 prior to 2.15.9, and 2.16.0 prior to 2.16.3. The vulnerability was disclosed on February 6, 2024, and stems from a failure to respect the ANSIBLE_NO_LOG configuration in certain scenarios. The flaw affects ansible-core and related products including Red Hat Ansible Automation Platform, Red Hat Ansible Inside, and Red Hat Ansible Developer (NVD, Red Hat Advisory).

The vulnerability occurs when the ANSIBLE_NO_LOG environment variable configuration is ignored in certain tasks, particularly those involving loop items. This behavior can result in sensitive information, including decrypted secret values, being exposed in the output despite the no_log configuration being set. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required for exploitation (NVD).

The successful exploitation of this vulnerability could lead to the disclosure of sensitive information. Specifically, when the vulnerability is triggered, sensitive data such as decrypted secret values may be exposed in task outputs, even when explicitly configured not to log such information (Red Hat Bugzilla).

The vulnerability has been fixed in ansible-core versions 2.14.4, 2.15.9, and 2.16.3. As a workaround before updating, users can explicitly set no_log within the playbook instead of relying on the global ANSIBLE_NO_LOG configuration. Red Hat has released security updates addressing this vulnerability through multiple advisories including RHSA-2024:0733, RHSA-2024:2246, and RHSA-2024:3043 (Red Hat Advisory).