{"id":"MGASA-2020-0363","summary":"Updated ansible package fixes security vulnerabilities","details":"An Improper Output Neutralization for Logs flaw was found in Ansible when using\nthe uri module, where sensitive data is exposed to content and json output.\nThis flaw allows an attacker to access the logs or outputs of performed tasks\nto read keys used in playbooks from other users within the uri module. The\nhighest threat from this vulnerability is to data confidentiality\n(CVE-2020-14430).\n\nA flaw was found in the Ansible Engine when using module_args. Tasks executed\nwith check mode (--check-mode) do not properly neutralize sensitive data\nexposed in the event data. This flaw allows unauthorized users to read this\ndata. The highest threat from this vulnerability is to confidentiality\n(CVE-2020-14432).\n\nA flaw was found in the Ansible Engine when installing packages using the dnf\nmodule. GPG signatures are ignored during installation even when\ndisable_gpg_check is set to False, which is the default behavior. This flaw\nleads to malicious packages being installed on the system and arbitrary code\nexecuted via package installation scripts. The highest threat from this\nvulnerability is to integrity and system availability (CVE-2020-14365).\n","modified":"2026-04-16T04:40:59.734119009Z","published":"2020-09-05T09:34:29Z","upstream":["CVE-2020-14365","CVE-2020-14430","CVE-2020-14432"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0363.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27175"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2020:3600"}],"affected":[{"package":{"name":"ansible","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/ansible?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.18-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0363.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}