x/vulndb: potential Go vuln in github.com/ansible/ansible: CVE-2019-10217

[tatianab]

CVE-2019-10217 references github.com/ansible/ansible, which may be a Go module.

Description:
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-10217
• web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
• report: gcp_storage_object fails with service_account_contents option ansible/ansible#56269
• fix: gcp_utils: Handle JSON decode exception ansible/ansible#59427
• web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
• web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
• Imported by: https://pkg.go.dev/github.com/ansible/ansible?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ansible/ansible
      vulnerable_at: 2.15.5+incompatible
      packages:
        - package: Ansible
cves:
    - CVE-2019-10217
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
    - report: https://github.com/ansible/ansible/issues/56269
    - fix: https://github.com/ansible/ansible/pull/59427
    - web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
    - web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports