Fluid Attacks Database

Description

Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible	>=2.7.0a1 <2.7.15 \|\| >=2.8.0a1 <2.8.7 \|\| >=2.9.0a1 <2.9.1	2.7.15, 2.8.7, 2.9.1
alpine v3.9	ansible	=0.3.1-r0 \|\| =0.4-r0 \|\| =0.5-r0 \|\| =0.7-r0 \|\| =0.7.1-r0 \|\| =0.8-r0 \|\| =0.9-r0 \|\| =1.0-r0 \|\| =1.0-r1 \|\| =1.1-r0 \|\| =1.1-r1 \|\| =1.2-r1 \|\| =1.2.1-r1 \|\| =1.2.2-r0 \|\| =1.2.3-r0 \|\| =1.3.3-r0 \|\| =1.3.4-r0 \|\| =1.4.1-r0 \|\| =1.4.3-r0 \|\| =1.4.5-r0 \|\| =1.5.0-r0 \|\| =1.5.4-r0 \|\| =1.5.5-r0 \|\| =1.6.1-r0 \|\| =1.6.5-r0 \|\| =1.6.6-r0 \|\| =1.6.7-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.7.2-r0 \|\| =1.8.0-r0 \|\| =1.8.2-r0 \|\| =1.8.4-r0 \|\| =1.9.2-r0 \|\| =1.9.2-r1 \|\| =1.9.3-r0 \|\| =1.9.3-r1 \|\| =1.9.4-r0 \|\| =2.0.0.2-r0 \|\| =2.0.0.2-r1 \|\| =2.0.1.0-r1 \|\| =2.1.0.0-r0 \|\| =2.1.1.0-r0 \|\| =2.1.2.0-r0 \|\| =2.2.0.0-r0 \|\| =2.2.1.0-r0 \|\| =2.2.1.0-r1 \|\| =2.2.2.0-r0 \|\| =2.3.0.0-r0 \|\| =2.3.0.0-r1 \|\| =2.3.1.0-r0 \|\| =2.3.2.0-r0 \|\| =2.4.0.0-r0 \|\| =2.4.1.0-r0 \|\| =2.4.2.0-r0 \|\| =2.4.3.0-r0 \|\| =2.5.0-r0 \|\| =2.5.2-r0 \|\| =2.5.4-r0 \|\| =2.5.5-r0 \|\| =2.6.0-r0 \|\| =2.6.1-r0 \|\| =2.6.3-r0 \|\| =2.7.0-r0 \|\| =2.7.0-r1 \|\| =2.7.12-r0 \|\| =2.7.13-r0 \|\| =2.7.14-r0 \|\| >=0 <2.7.16-r0	2.7.16-r0
alpine v3.10	ansible	=0.3.1-r0 \|\| =0.4-r0 \|\| =0.5-r0 \|\| =0.7-r0 \|\| =0.7.1-r0 \|\| =0.8-r0 \|\| =0.9-r0 \|\| =1.0-r0 \|\| =1.0-r1 \|\| =1.1-r0 \|\| =1.1-r1 \|\| =1.2-r1 \|\| =1.2.1-r1 \|\| =1.2.2-r0 \|\| =1.2.3-r0 \|\| =1.3.3-r0 \|\| =1.3.4-r0 \|\| =1.4.1-r0 \|\| =1.4.3-r0 \|\| =1.4.5-r0 \|\| =1.5.0-r0 \|\| =1.5.4-r0 \|\| =1.5.5-r0 \|\| =1.6.1-r0 \|\| =1.6.5-r0 \|\| =1.6.6-r0 \|\| =1.6.7-r0 \|\| =1.7.0-r0 \|\| =1.7.1-r0 \|\| =1.7.2-r0 \|\| =1.8.0-r0 \|\| =1.8.2-r0 \|\| =1.8.4-r0 \|\| =1.9.2-r0 \|\| =1.9.2-r1 \|\| =1.9.3-r0 \|\| =1.9.3-r1 \|\| =1.9.4-r0 \|\| =2.0.0.2-r0 \|\| =2.0.0.2-r1 \|\| =2.0.1.0-r1 \|\| =2.1.0.0-r0 \|\| =2.1.1.0-r0 \|\| =2.1.2.0-r0 \|\| =2.2.0.0-r0 \|\| =2.2.1.0-r0 \|\| =2.2.1.0-r1 \|\| =2.2.2.0-r0 \|\| =2.3.0.0-r0 \|\| =2.3.0.0-r1 \|\| =2.3.1.0-r0 \|\| =2.3.2.0-r0 \|\| =2.4.0.0-r0 \|\| =2.4.1.0-r0 \|\| =2.4.2.0-r0 \|\| =2.4.3.0-r0 \|\| =2.5.0-r0 \|\| =2.5.2-r0 \|\| =2.5.4-r0 \|\| =2.5.5-r0 \|\| =2.6.0-r0 \|\| =2.6.1-r0 \|\| =2.6.3-r0 \|\| =2.7.0-r0 \|\| =2.7.0-r1 \|\| =2.7.9-r0 \|\| =2.7.9-r1 \|\| =2.8.0-r1 \|\| =2.8.1-r0 \|\| =2.8.3-r0 \|\| =2.8.4-r0 \|\| =2.8.6-r0 \|\| >=0 <2.8.8-r0	2.8.8-r0
debian 11	ansible	>=0 <2.9.2+dfsg-1	2.9.2+dfsg-1
debian 12	ansible	>=0 <2.9.2+dfsg-1	2.9.2+dfsg-1
debian 13	ansible	>=0 <2.9.2+dfsg-1	2.9.2+dfsg-1
debian 14	ansible	>=0 <2.9.2+dfsg-1	2.9.2+dfsg-1

Aliases

1. CVE-2019-148642. NVD-2019-148643. OSV-2019-148644. OSV-ALPINE-2019-148645. OSV-DEBIAN-2019-148646. GHSA-3m93-m4q6-mc6v7. GCVE-2019-148648. SECURITY-CVE-2019-148649. SECURITY-TRACKER-CVE-2019-14864

References