CVE-2025-14010
BaseFortify
Publication date: 2025-12-04
Last updated on: 2026-05-06
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
| ansible | community.general | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the ansible-collection-community-general that causes sensitive credentials, specifically plaintext passwords, to be exposed through verbose output when Ansible is run in debug mode. Attackers who have access to these logs can retrieve these secrets.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to the exposure of sensitive credentials, allowing attackers to potentially compromise Keycloak accounts or gain administrative access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid running Ansible with debug or verbose modes that expose sensitive credentials in logs. Restrict access to logs to trusted personnel only and review log management policies to prevent unauthorized access to sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes plaintext passwords in verbose debug logs, which can lead to unauthorized access to sensitive credentials. This exposure of sensitive information could result in non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized disclosure. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reviewing Ansible debug or verbose logs generated when running playbooks that use the community.general keycloak_user module with high verbosity (e.g., -vvv). Specifically, look for the exposure of the credentials[].value field containing plaintext passwords in these logs. A suggested command to reproduce and detect the issue is to run Ansible with increased verbosity: ansible-playbook playbook.yml -vvv and then inspect the output or log files for leaked sensitive credential values. [1]