Jenkins Ansible plugin Invoke playbook variables concealed

Something has changed in recent updates but it’s not known which update. For build step Invoke Ansible Playbook, we used to see Extra Variables values when editing configuration Advanced, Key Value. Now we see Value Concealed and button Change Password. I’m hoping someone can offer some clues as I’m unable to find how to fix this so that we can see our values that we set which are filenames and paths and are not settings that should be concealed.

Thanks,
Adrien.

I just did an update this morning but the problem persists

Jenkins setup - click to expand
Jenkins: 2.414.1
OS: Linux - 4.18.0-477.15.1.el8_8.x86_64
Java: 17.0.4.1 - Oracle Corporation (Java HotSpot(TM) 64-Bit Server VM)
---
ace-editor:1.1
active-directory:2.33
ansible:253.v4fe719ffdd8a_
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
artifact-promotion:0.5.2
artifactdeployer:1.3
audit-trail:333.vb_e1b_b_0f1238c
authentication-tokens:1.53.v1c90fd9191a_b_
badge:1.9.1
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.0-1
bouncycastle-api:2.29
branch-api:2.1122.v09cb_8ea_8a_724
build-keeper-plugin:19.va_df8a_2c65123
build-name-setter:2.3.0
build-pipeline-plugin:1.5.8
build-user-vars-plugin:1.9
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.0
clone-workspace-scm:84.v147686859e1c
cloudbees-folder:6.848.ve3b_fd7839a_81
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-68.v0d0b_c439292b_
conditional-buildstep:1.4.3
config-file-provider:953.v0432a_802e4d2
copy-data-to-workspace-plugin:1.0
copy-to-slave:1.4.4
copyartifact:722.v0662a_9b_e22a_c
credentials:1271.v54b_1c2c6388a_
credentials-binding:631.v861c06d062b_4
custom-tools-plugin:0.8
cvs:2.19.1
data-tables-api:1.13.5-1
date-parameter:0.0.4
delivery-pipeline-plugin:1.4.2
deploy:1.16
description-setter:1.10
display-url-api:2.3.9
docker-commons:439.va_3cb_0a_6a_fb_29
docker-workflow:572.v950f58993843
dtkit-api:3.0.2
durable-task:523.va_a_22cf15d5e0
dynamic_extended_choice_parameter:1.0.1
dynamicparameter:0.2.0
echarts-api:5.4.0-5
elastic-axis:464.va_7ed499b_9d75
email-ext:2.100
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:376.v2e02857547b_a_
extended-read-permission:53.v6499940139e5
external-monitor-job:207.v98a_a_37a_85525
filesystem_scm:2.1
font-awesome-api:6.4.0-2
git:5.2.0
git-client:4.4.0
git-server:99.va_0826a_b_cdfa_d
global-post-script:1.1.4
gradle:2.8.2
groovy:453.vcdb_a_c5c99890
groovy-postbuild:2.5
handlebars:3.0.8
http_request:1.18
icon-shim:3.0.0
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:73.vddf737284550
jersey2-api:2.40-1
jira:3.10
jnr-posix-api:3.1.17-1
jobConfigHistory:1227.v7a_79fc4dc01f
jquery:1.12.4-1
jquery-detached:1.2.1
jquery-ui:1.0.2
jquery3-api:3.7.0-1
jsch:0.2.8-65.v052c39de79b_2
junit:1217.v4297208a_a_b_ce
ldap:694.vc02a_69c9787f
lockable-resources:1185.v0c528656ce04
mailer:463.vedf8358e006b_
mapdb-api:1.0.9-28.vf251ce40855d
matrix-auth:3.2
matrix-project:808.v5a_b_5f56d6966
maven-plugin:3.23
maven-repo-cleaner:1.3
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
momentjs:1.1.1
msbuild:1.30
multiple-scms:0.8
next-build-number:1.8
nodejs:1.6.1
nodelabelparameter:1.12.0
pam-auth:1.10
parameterized-trigger:2.46
pipeline-build-step:505.v5f0844d8d126
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:685.v8ee9ed91d574
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
pipeline-stage-view:2.33
pipeline-utility-steps:2.16.0
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
popper-api:1.16.1-3
popper2-api:2.11.6-2
postbuildscript:3.2.0-550.v88192b_d3e922
powershell:2.0
promoted-builds:892.vd6219fc0a_efb
publish-over:0.22
publish-over-ssh:1.25
repository:1.10
resource-disposer:0.23
reverse-proxy-auth-plugin:1.7.7
role-strategy:689.v731678c3e0eb_
run-condition:1.7
saml:4.429.v9a_781a_61f1da_
scm-api:676.v886669a_199a_a_
script-security:1274.v2b_33362a_f2f5
scriptler:321.v74a_851a_e7ed6
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
sshd:3.312.v1c601b_c83b_0e
started-by-envvar:1.0
structs:325.vcb_307d2a_2782
subversion:2.17.3
tap:2.3
token-macro:384.vf35b_f26814ec
translation:1.16
trilead-api:2.84.v72119de229b_7
uno-choice:2.7.2
variant:59.vf075fe829ccb
windows-slaves:1.8.1
workflow-aggregator:596.v8c21c963d92d
workflow-api:1267.vd9b_a_ddd9eb_47
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3774.v4a_d648d409ce
workflow-cps-global-lib:609.vd95673f149b_b
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1342.v046651d5b_dfe
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:848.v5a_383b_d14921
ws-cleanup:0.45
xunit:3.1.3

Update: I installed previous ansible plugin version: https://updates.jenkins.io/download/plugins/ansible/204.v8191fd551eb_f/ansible.hpi
Now I can see the Key Values. They are not concealed.
The problem was introduced after this version.

FYI,
Adrien.

Thank you Adrien for this feedback.

Please raise an issue in the plugin GitHub repo. :pray:

Created issue: Ansible Plugin Invoke Playbook variables concealed after 204.v8191fd551eb_f · Issue #127 · jenkinsci/ansible-plugin · GitHub

1 Like

This is a change to the ansible because of a security issue:

Secrets stored and displayed in plain text by Ansible Plugin

SECURITY-3017 / CVE-2023-32982 (storage), CVE-2023-32983 (masking)
Severity (CVSS): Medium
Affected plugin: ansible
Description:

Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.

Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

1 Like

Totally support best security practices. Would it be possible to enhance the ansible plugin so that we could choose the a type of extra variable that would not be concealed?

Adrien.

How do I create a request for enhancement for the ansible plugin?

Adrien.

1 Like

I’d love to see that implemented, because is really annoying to be unable to see the value field in the Ansible extra variables section. I think credentials need to me managed explicitly as credentials in any other part of the Ansible module, not mixed with the regular extra parameters

BTW: I was tasked to upgrade our Jenkins infrastructure from a really old version and now I have all developers pestering me about this issue :roll_eyes: