CVE-2019-14846Improper Output Neutralization for Logs in Redhat Ansible Engine

CWE-117Improper Output Neutralization for LogsCWE-532Log File Information ExposureCWE-538Insertion of Sensitive Information into Externally-Accessible File or Directory9 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 68.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Redhat AnsibleRedhat Ansible EngineRED HAT Ansible+4 more
Timeline
PublishedOct 8
Latest updateMar 5

Description

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

NVDredhat/ansible_engine2.7.02.7.14+4
PyPIredhat/ansible2.7.0a12.7.14+2
Debianredhat/ansible< 2.8.6+dfsg-1+3
CVEListV5red_hat/ansibleall ansible_engine-2.x and ansible_engine-3.x up to ansible_engine-3.5
NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 8.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Ansible Uses Plugins That Disclose Credentials2022-05-24
GHSA
Ansible Uses Plugins That Disclose Credentials2022-05-24
OSV
CVE-2019-14846: In Ansible, all Ansible Engine versions up to ansible-engine 22019-10-08
CVEList
CVE-2019-14846: In Ansible, all Ansible Engine versions up to ansible-engine 22019-10-08

📋Vendor Advisories

3
Ubuntu
Ansible vulnerabilities2025-03-05
Red Hat
ansible: secrets disclosed on logs when no_log enabled2019-10-08
Debian
CVE-2019-14846: ansible - In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engi...2019

💬Community

1
Bugzilla
CVE-2019-14846 ansible: secrets disclosed on logs when no_log enabled2019-09-25