GitHub Advisory DatabaseGHSA-3M93-M4Q6-MC6VInclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
68.5%
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Affected configurations
References
lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
github.com/advisories/GHSA-3m93-m4q6-mc6v
github.com/ansible/ansible/commit/75288a89d0053d6df35c90863fb6c9542d89850e
github.com/ansible/ansible/issues/63522
github.com/ansible/ansible/pull/63527
github.com/ansible/ansible/pull/64273
github.com/ansible/ansible/pull/64274
github.com/ansible/ansible/pull/64748
nvd.nist.gov/vuln/detail/CVE-2019-14864
www.debian.org/security/2021/dsa-4950
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.003 Low
EPSS
Percentile
68.5%