Skip to main content

Ansible Engine CVE-2019-14858

MEDIUM
Improper Output Neutralization for Logs (CWE-117)
2019-10-14 secalert@redhat.com
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 14, 2019 - 15:15 nvd
MEDIUM 5.5

DescriptionNVD

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

AnalysisAI

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-117. A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower. Version information: up to 2.8.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-7750 CRITICAL POC
9.8 Mar 13

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x

CVE-2020-14330 MEDIUM POC
5.5 Sep 11

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is

CVE-2020-1753 MEDIUM POC
5.5 Mar 16

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prio

CVE-2020-1737 HIGH
7.8 Mar 09

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function f

CVE-2019-14846 HIGH
7.8 Oct 08

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were l

CVE-2018-16837 HIGH
7.8 Oct 23

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. Rated high severity (CVSS 7.8), th

CVE-2018-10875 HIGH
7.8 Jul 13

A flaw was found in ansible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patc

CVE-2018-10874 HIGH
7.8 Jul 02

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command w

CVE-2021-20228 HIGH
7.5 Apr 29

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the

CVE-2020-1734 HIGH
7.4 Mar 03

A flaw was found in the pipe lookup plugin of ansible. Rated high severity (CVSS 7.4). No vendor patch available.

CVE-2021-3583 HIGH
7.1 Sep 22

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. Rated high severity (CVSS 7.

CVE-2020-14365 HIGH
7.1 Sep 23

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, wh

Share

CVE-2019-14858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy