CVE-2019-14858

CWE-117CWE-532Log File Information ExposureCWE-2159 documents7 sources
Severity
5.5MEDIUM
EPSS
0.1%
top 81.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible EngineRedhat Ansible TowerRED HAT Ansible
Timeline
PublishedOct 14
Latest updateMay 24

Description

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

NVDredhat/ansible_tower3.03.5.0
NVDredhat/ansible_engine2.02.8.0
PyPIansible2.9.0a12.9.0rc4+3
Debianansible< 2.8.6+dfsg-1+3
CVEListV5red_hat/ansibleansible_engine-2.x up to 2.8, ansible_tower-3.x up to 3.5+1

🔴Vulnerability Details

4
OSV
Ansible leaks sensitive information to logs when told not to2022-05-24
GHSA
Ansible leaks sensitive information to logs when told not to2022-05-24
OSV
CVE-2019-14858: A vulnerability was found in Ansible engine 22019-10-14
CVEList
CVE-2019-14858: A vulnerability was found in Ansible engine 22019-10-14

📋Vendor Advisories

2
Red Hat
ansible: sub parameters marked as no_log are not masked in certain failure scenarios2019-10-11
Debian
CVE-2019-14858: ansible - A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x ...2019

💬Community

2
Bugzilla
CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios [openstack-rdo]2019-10-29
Bugzilla
CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios2019-10-10