CVE-2019-14858
Ansible leaks sensitive information to logs when told not to
5.5
MEDIUM
CVSS 3.1
EPSS 0.08%
Description
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
How to fix CVE-2019-14858
To remediate CVE-2019-14858, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.6-r0 or later
- —upgrade to 2.8.6-r0 or later
- —upgrade to 2.8.6+dfsg-1 or later
- —upgrade to 2.9.0rc4 or later
- —upgrade to 2.8.1 or later
Is CVE-2019-14858 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 2.8.6-r0
- from 0, < 2.8.6-r0
- from 0, < 2.8.6+dfsg-1
- >= 2.9.0a1, < 2.9.0rc4
- >= 2.0, < 2.8.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |