Vulnerability Details CVE-2019-14864
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.6%
CVSS Severity
CVSS v3 Score 5.7
CVSS v2 Score 4.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
- https://github.com/ansible/ansible/issues/63522
- https://github.com/ansible/ansible/pull/63527
- https://www.debian.org/security/2021/dsa-4950
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
- https://github.com/ansible/ansible/issues/63522
- https://github.com/ansible/ansible/pull/63527
- https://www.debian.org/security/2021/dsa-4950
Products affected by CVE-2019-14864
-
cpe:2.3:a:opensuse:backports_sle:15.0
-
cpe:2.3:a:redhat:ansible:2.7.0
-
cpe:2.3:a:redhat:ansible:2.7.1
-
cpe:2.3:a:redhat:ansible:2.7.10
-
cpe:2.3:a:redhat:ansible:2.7.11
-
cpe:2.3:a:redhat:ansible:2.7.12
-
cpe:2.3:a:redhat:ansible:2.7.13
-
cpe:2.3:a:redhat:ansible:2.7.14
-
cpe:2.3:a:redhat:ansible:2.7.2
-
cpe:2.3:a:redhat:ansible:2.7.3
-
cpe:2.3:a:redhat:ansible:2.7.4
-
cpe:2.3:a:redhat:ansible:2.7.5
-
cpe:2.3:a:redhat:ansible:2.7.6
-
cpe:2.3:a:redhat:ansible:2.7.7
-
cpe:2.3:a:redhat:ansible:2.7.8
-
cpe:2.3:a:redhat:ansible:2.7.9
-
cpe:2.3:a:redhat:ansible:2.8.0
-
cpe:2.3:a:redhat:ansible:2.8.1
-
cpe:2.3:a:redhat:ansible:2.8.2
-
cpe:2.3:a:redhat:ansible:2.8.3
-
cpe:2.3:a:redhat:ansible:2.8.4
-
cpe:2.3:a:redhat:ansible:2.8.5
-
cpe:2.3:a:redhat:ansible:2.8.6
-
cpe:2.3:a:redhat:ansible:2.9.0
-
cpe:2.3:a:redhat:ansible_tower:3.0
-
cpe:2.3:a:redhat:ceph_storage:3.0
-
cpe:2.3:a:redhat:cloudforms_management_engine:5.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:redhat:enterprise_linux:6.0
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0