CVE-2019-14846

HIGH

Redhat Ansible Engine < 2.6.20 - Log Information Exposure

Title source: rule
STIX 2.1

Description

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

References (12)

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 30.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-532 CWE-117
Status published
Products (10)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
opensuse/backports_sle 15.0 sp1
opensuse/leap 15.1
pypi/ansible 0 - 2.6.20PyPI
redhat/ansible_engine 2.0
redhat/ansible_engine 2.8.0
redhat/ansible_engine < 2.6.20
redhat/openstack 13
Published Oct 08, 2019
Tracked Since Feb 18, 2026