A flaw was found in the community.general Ansible collection's nexmo module.
The module constructs HTTP requests to the Vonage/Nexmo SMS API by encoding
API credentials (api_key and api_secret) into URL query parameters and
sending them via GET requests. This causes credentials to be exposed in web
server access logs, proxy logs, HTTP Referer headers, and network monitoring
tools, despite the Ansible argument specification marking these parameters
as no_log. An attacker with access to any of these logging or monitoring
points can obtain the full API credentials and gain unauthorized access to
the victim's Vonage/Nexmo account.
Credits
Red Hat would like to thank Bipin Saud (https://www.linkedin.com/in/bipinsaud/) for reporting this issue.
