CVE-2019-14864
Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
6.5
MEDIUM
CVSS 3.1
EPSS 0.86%
Description
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
How to fix CVE-2019-14864
To remediate CVE-2019-14864, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.8-r0 or later
- —upgrade to 2.9.2+dfsg-1 or later
- —upgrade to 2.7.15 or later
- —upgrade to 2.7.15 or later
Is CVE-2019-14864 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.8.8-r0
- from 0, < 2.9.2+dfsg-1
- >= 2.7.0a1, < 2.7.15
- >= 2.7.0, < 2.7.15, >= 2.8.0, < 2.8.7, >= 2.9.0, < 2.9.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |