Information disclosure via HTTP URL in Ansible uri task

High Risk infrastructure-security

What it is

Information disclosure could expose sensitive data and enable tampering via man-in-the-middle attacks when requests are sent over cleartext HTTP.

Why it happens

Using http:// URLs in Ansible uri tasks for API calls or downloads, exposing traffic to interception.

Root causes

HTTP URLs in Playbooks

Using http:// URLs in Ansible uri tasks for API calls or downloads, exposing traffic to interception.

Internal Network Assumption

Assuming internal networks are secure and not requiring HTTPS for internal service communication.

Legacy Service Compatibility

Connecting to older services that don't support HTTPS without implementing a proxy or upgrade plan.

Fixes

1

Use HTTPS URLs

Replace all http:// URLs with https:// in uri task url parameters.

2

Validate SSL Certificates

Ensure validate_certs is set to true (default) to verify server certificates.

3

Use TLS-Terminating Proxies

For services without HTTPS support, deploy a reverse proxy that handles TLS termination.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure via http url in ansible uri task and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities