CVE-2019-14846

HIGH

Ansible Engine < 2.6.20 - Sensitive Information Disclosure in Debug Logs

Title source: llm
STIX 2.1

Description

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

References (12)

Core 12
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/pull/63366
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3203
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3202
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3207
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3201
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0756
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4950

Scores

CVSS v3 7.8
EPSS 0.0051
EPSS Percentile 39.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-532 CWE-117
Status published
Products (10)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
opensuse/backports_sle 15.0 sp1
opensuse/leap 15.1
pypi/ansible 0 - 2.6.20PyPI
redhat/ansible_engine 2.0
redhat/ansible_engine 2.8.0
redhat/ansible_engine < 2.6.20
redhat/openstack 13
Published Oct 08, 2019
Tracked Since Feb 18, 2026