CVE-2019-14864
EUVD-2020-000702.01.2020, 15:15
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| redhat | ansible | 2.7.0 ≤ 𝑥 < 2.7.15 |
| redhat | ansible | 2.8.0 ≤ 𝑥 < 2.8.7 |
| redhat | ansible | 2.9.0 ≤ 𝑥 < 2.9.1 |
| redhat | ansible_tower | 3.0 |
| redhat | ceph_storage | 3.0 |
| redhat | cloudforms_management_engine | 5.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| debian | debian_linux | 10.0 |
| opensuse | backports_sle | 15.0:sp1 |
| opensuse | leap | 15.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-117 - Improper Output Neutralization for LogsThe software does not neutralize or incorrectly neutralizes output that is written to logs.
- CWE-532 - Insertion of Sensitive Information into Log FileInformation written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
References