CVE-2019-14864
MEDIUMAnsible 2.7.0-2.7.14, 2.8.0-2.8.6, 2.9.0 - Sensitive Information Disclosure via Log File
Title source: llmDescription
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
References (6)
Core 6
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/ansible/ansible/issues/63522
Patch, Vendor Advisory x_refsource_misc
https://github.com/ansible/ansible/pull/63527
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4950
Scores
CVSS v3
6.5
EPSS
0.0186
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
CWE-117
Status
published
Products (11)
debian/debian_linux
10.0
opensuse/backports_sle
15.0 sp1
opensuse/leap
15.1
pypi/ansible
2.7.0a1 - 2.7.15PyPI
redhat/ansible
2.7.0 - 2.7.15
redhat/ansible_tower
3.0
redhat/ceph_storage
3.0
redhat/cloudforms_management_engine
5.0
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
... and 1 more
Published
Jan 02, 2020
Tracked Since
Feb 18, 2026