CVE-2019-14864

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

CVSS v3.0 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/ansible/ansible/pull/63527	Patch Vendor Advisory
https://github.com/ansible/ansible/issues/63522	Exploit Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864	Issue Tracking Patch Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible_tower:3.0:::::::*
	cpe:2.3:a:redhat:ceph_storage:3.0:::::::*
	cpe:2.3:a:redhat:cloudforms_management_engine:5.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Information

Published : 2020-01-02 15:15

Updated : 2021-08-07 15:15

NVD link : CVE-2019-14864

Mitre link : CVE-2019-14864

JSON object : View

Products Affected

redhat

cloudforms_management_engine
ceph_storage
ansible
ansible_tower
enterprise_linux

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/ansible/ansible/pull/63527", "name": "https://github.com/ansible/ansible/pull/63527", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/ansible/ansible/issues/63522", "name": "https://github.com/ansible/ansible/issues/63522", "tags": ["Exploit", "Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html", "name": "openSUSE-SU-2020:0513", "tags": [], "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html", "name": "openSUSE-SU-2020:0523", "tags": [], "refsource": "SUSE"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-532"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-14864", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}}, "publishedDate": "2020-01-02T15:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.7.15", "versionStartIncluding": "2.7.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.8.7", "versionStartIncluding": "2.8.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.9.1", "versionStartIncluding": "2.9.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-08-07T15:15Z"}