CVE-2019-14864
Vulnerability Summary
Timeline
Description
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- v3.0•MEDIUM•Score: 5.7CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
- v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.86%• Percentile: 75%
Techniques & Countermeasures
- CWE-117•Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
- CWE-532•Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
Affected Systems
- debian•debian_linux
10.0
- opensuse•backports_sle
15.0:sp1
- opensuse•leap
15.1
- PyPI•ansible
≥ 2.7.0a1, < 2.7.15 | ≥ 2.8.0a1, < 2.8.7 | ≥ 2.9.0a1, < 2.9.1 | ≥ 2.9.0, < 2.9.1
- red hat•ansible
Ansible versions 2.9.x before 2.9.1 | Ansible versions 2.8.x before 2.8.7 | Ansible versions 2.7.x before 2.7.15
- redhat•ansible
≥ 2.7.0, < 2.7.15 | ≥ 2.8.0, < 2.8.7 | ≥ 2.9.0, < 2.9.1
- redhat•ansible_tower
3.0
- redhat•ceph_storage
3.0
- redhat•cloudforms_management_engine
5.0
- redhat•enterprise_linux
6.0 | 7.0 | 8.0
References (17)
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
- https://github.com/ansible/ansible/issues/63522
- https://github.com/ansible/ansible/pull/63527
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://www.debian.org/security/2021/dsa-4950
- https://nvd.nist.gov/vuln/detail/CVE-2019-14864
- https://github.com/ansible/ansible/pull/64273
- https://github.com/ansible/ansible/pull/64274
- https://github.com/ansible/ansible/pull/64748
- https://github.com/ansible/ansible/commit/050f92f96054bf59e283fdec9972323c2ed00348
- https://github.com/ansible/ansible/commit/75288a89d0053d6df35c90863fb6c9542d89850e
- https://github.com/ansible/ansible/commit/a0ec2976b2716cdecdd7a8f416d96406acd79b7c
- https://github.com/ansible/ansible/commit/c76e074e4c71c7621a1ca8159261c1959b5287af
- https://github.com/advisories/GHSA-3m93-m4q6-mc6v
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-160.yaml