Vulnerability Details : CVE-2019-14864
Potential exploit
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Products affected by CVE-2019-14864
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-14864
1.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-14864
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
|
5.7
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
2.1
|
3.6
|
Red Hat, Inc. | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-14864
-
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.Assigned by: secalert@redhat.com (Primary)
-
The product writes sensitive information to a log file.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2019-14864
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
[security-announce] openSUSE-SU-2020:0513-1: moderate: Security update fMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
1764148 – (CVE-2019-14864) CVE-2019-14864 Ansible: Splunk and Sumologic callback plugins leak sensitive data in logsIssue Tracking;Patch;Vendor Advisory
-
https://github.com/ansible/ansible/issues/63522
Sumologic callback plugin logging sensitive data · Issue #63522 · ansible/ansible · GitHubExploit;Patch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
[security-announce] openSUSE-SU-2020:0523-1: moderate: Security update fMailing List;Third Party Advisory
-
https://github.com/ansible/ansible/pull/63527
removing args from task_fields as it can contain sensitive data by poblahblahblah · Pull Request #63527 · ansible/ansible · GitHubPatch;Vendor Advisory
Jump to