CVE-2019-14846

Description

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

How to fix CVE-2019-14846

To remediate CVE-2019-14846, upgrade the affected package to a fixed version below.

• —upgrade to 2.8.6-r0 or later
• —upgrade to 2.8.6-r0 or later
• —upgrade to 2.8.6+dfsg-1 or later
• —upgrade to 1.7.2+dfsg-2+deb8u3 or later
• —upgrade to 2.6.20 or later
• —upgrade to 2.6.20 or later

Is CVE-2019-14846 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 2.8.6-r0
• from 0, < 2.8.6-r0
• from 0, < 2.8.6+dfsg-1
• from 0, < 1.7.2+dfsg-2+deb8u3
• from 0, < 2.6.20
• from 0, < 2.6.20, >= 2.7.0, < 2.7.14, >= 2.8.0, < 2.8.6

CVSS scores

References (21)

• ADVISORYgithub.com/advisories/GHSA-pm48-cvv2-29q5
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-14846
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-14846
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-14846
• PATCH