CVE-2019-14864 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=2.7.0a1 <2.7.15 || >=2.8.0a1 <2.8.7 || >=2.9.0a1 <2.9.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00935 pctl0.75284

Details

Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Metadata

Created: 2020-02-26T19:54:31Z
Modified: 2024-09-04T20:27:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-3m93-m4q6-mc6v/GHSA-3m93-m4q6-mc6v.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-3m93-m4q6-mc6v
Finding: F091
Auto approve: 1