CVE-2019-14864

CWE-117 CWE-532 — Log File Information Exposure CWE-21312 documents7 sources

Severity

6.5MEDIUM

EPSS

1.0%

top 23.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible RED HAT Ansible Debian Debian Linux +6 more

Timeline

PublishedJan 2

Latest updateFeb 26

Description

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages9 packages

▶PyPIansible2.7.0a1 — 2.7.15+2

▶NVDredhat/ansible2.7.0 — 2.7.15+2

▶Debianansible< 2.9.2+dfsg-1+3

▶CVEListV5red_hat/ansibleAnsible versions 2.7.x before 2.7.15, Ansible versions 2.8.x before 2.8.7, Ansible versions 2.9.x before 2.9.1+2

▶NVDredhat/ansible_tower3.0

Also affects: Debian Linux 10.0, Enterprise Linux 6.0, 7.0, 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible↗2020-02-26

▶

OSV

Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible↗2020-02-26

▶

CVEList

CVE-2019-14864: Ansible, versions 2↗2020-01-02

▶

OSV

CVE-2019-14864: Ansible, versions 2↗2020-01-02

▶

📋Vendor Advisories

Red Hat

Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs↗2019-10-22

▶

Debian

CVE-2019-14864: ansible - Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2....↗2019

▶

💬Community

Bugzilla

CVE-2019-14864 ansible: Splunk and Sumologic callback plugins leak sensitive data in logs [epel-6]↗2019-11-19

▶

Bugzilla

CVE-2019-14864 ansible: Splunk and Sumologic callback plugins leak sensitive data in logs [openstack-rdo]↗2019-11-19

▶

Bugzilla

CVE-2019-14864 ansible: Splunk and Sumologic callback plugins leak sensitive data in logs [epel-7]↗2019-11-19

▶

Bugzilla

CVE-2019-14864 ansible: Splunk and Sumologic callback plugins leak sensitive data in logs [fedora-all]↗2019-11-19

▶

Bugzilla

CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs↗2019-10-22

▶