CVE-2019-14858 : A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Published 2019-10-14 15:15:10

Updated 2019-10-24 23:15:13

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2019-14858

Redhat » Ansible Tower
Versions from including (>=) 3.0 and up to, including, (<=) 3.5.0
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Engine
Versions from including (>=) 2.0 and up to, including, (<=) 2.8.0
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-14858

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 19 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-14858

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.3	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	1.3	5.9	Red Hat, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2019-14858

CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

Assigned by: secalert@redhat.com (Secondary)
CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2019-14858

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html

[security-announce] openSUSE-SU-2020:0513-1: moderate: Security update f

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3202

RHSA-2019:3202 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3203

RHSA-2019:3203 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

[security-announce] openSUSE-SU-2020:0523-1: moderate: Security update f

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2020:0756

RHSA-2020:0756 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:3201

RHSA-2019:3201 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858

1760593 – (CVE-2019-14858) CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios
Issue Tracking;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3207

RHSA-2019:3207 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-14858

Products affected by CVE-2019-14858

Exploit prediction scoring system (EPSS) score for CVE-2019-14858

CVSS scores for CVE-2019-14858

CWE ids for CVE-2019-14858

References for CVE-2019-14858