CVE-2024-8775: 
Ansible vulnerability analysis and mitigation

A vulnerability (CVE-2024-8775) was discovered in Ansible, affecting versions prior to 2.16.13 and 2.17.6. The flaw allows sensitive information stored in Ansible Vault files to be exposed in plaintext during playbook execution when using tasks such as includevars to load vaulted variables without setting the nolog: true parameter. This vulnerability was discovered and disclosed in September 2024 (NVD, GitHub Advisory).

The vulnerability occurs when tasks that load vaulted variables are executed without the no_log: true parameter setting. This implementation flaw can result in sensitive data being printed in the playbook output or logs. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but the complexity of exploitation is low (Red Hat).

The vulnerability can lead to the unintentional disclosure of secrets like passwords or API keys stored in Ansible Vault files. This exposure of sensitive information could potentially allow unauthorized access or actions, compromising the security of systems managed through Ansible (NVD).

The vulnerability has been patched in Ansible Core versions 2.16.13 and 2.17.6. Users should upgrade to these or later versions. As a workaround, users should ensure the no_log: true parameter is set when using tasks that load vaulted variables (Red Hat).