CVE-2025-2877

MEDIUM6.5

Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda

Published Mar 28, 2025

Modified 1 months ago

No fix available

Details

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

References

ADVISORYhttps://access.redhat.com/errata/RHSA-2025:3636 ADVISORYhttps://access.redhat.com/errata/RHSA-2025:3637 WEBhttps://access.redhat.com/security/cve/CVE-2025-2877 WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2355540 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-2877

CVSS Analysis

CVSS v3.1

6.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

LowPR:L

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

NoneI:N

Availability

NoneA:N

6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weakness Type (CWE)

Other

CWE-1295

Ecosystems

Timeline

PublishedMar 28, 2025

ModifiedNov 20, 2025