CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 1CVE-2019-14864 – Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
https://notcve.org/view.php?id=CVE-2019-14864
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. Ansible, versiones 2.9.x anteriores a la versión 2.9.1, versiones 2.8.x anteriores a la versión 2.8.7 y Ansible versiones 2.7.x anteriores a la versión 2.7.15, no respeta el flag no_log, configurado en True cuando los plugins de devolución de llamada Sumologic y Splunk son usados para enviar eventos de resultados de tareas para coleccionistas. Esto revelaría y recolectaría cualquier información confidencial. A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864 https://github.com/ansible/ansible/issues/63522 https://github.com/ansible/ansible/pull/63527 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2019-14864 https://bugzilla.redhat.com/show_bug.cgi?id=1764148 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14858 – ansible: sub parameters marked as no_log are not masked in certain failure scenarios
https://notcve.org/view.php?id=CVE-2019-14858
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task. Se detectó una vulnerabilidad en Ansible engine versión 2.x hasta 2.8 y Ansible tower versión 3.x hasta 3.5. Cuando un módulo tiene un argumento_spec con subparámetros marcados como no_log, pasar un nombre de parámetro no válido al módulo hará que la tarea falle antes de que se procesen las opciones no_log en los subparámetros. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://access.redhat.com/errata/RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2020:0756 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858 https://access.redhat.com/security& • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2019-14846 – ansible: secrets disclosed on logs when no_log enabled
https://notcve.org/view.php?id=CVE-2019-14846
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. En Ansible, todas las versiones de Ansible Engine hasta ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, se registraban en el nivel DEBUG, lo que conlleva a la divulgación de credenciales si un plugin usó una biblioteca que registraba credenciales en el nivel DEBUG. Este defecto no afecta a los módulos de Ansible, ya que son ejecutados en un proceso separado. Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://access.redhat.com/errata/RHSA-2019:3201 https://access.redhat.com/errata/RHSA-2019:3202 https://access.redhat.com/errata/RHSA-2019:3203 https://access.redhat.com/errata/RHSA-2019:3207 https://access.redhat.com/errata/RHSA-2020:0756 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846 https://github.com/ansible/ansible • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 17EXPL: 0CVE-2018-16876 – ansible: Information disclosure in vvv+ mode with no_log on
https://notcve.org/view.php?id=CVE-2018-16876
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. ansible en versiones anteriores a las 2.5.14, 2.6.11 y 2.7.5 es vulnerable a un fallo de divulgación de información en el modo vvv+ con "no_log" habilitado, el cual podría provocar el filtrado de datos sensibles. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/106225 https://access.redhat.com/errata/RHSA-2018:3835 https://access.redhat.com/errata/RHSA-2018:3836 https://access.redhat.com/errata/RHSA-2018:3837 https://access.redhat.com/errata/RHSA-2018:3838 https://access.redhat.com/errata& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2018-16859 – ansible: become password logged in plaintext when used with PowerShell on Windows
https://notcve.org/view.php?id=CVE-2018-16859
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable. Ejecucion de playbooks Ansible en plataformas Windows con PowerShell ScriptBlock logging y Module logging activados puede permitir que aparezcan contraseñas "become" en EventLogs en texto plano. Un usuario local con privilegios de administrador en la máquina puede visualizar estos registros y descubrir la contraseña en texto plano. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/106004 https://access.redhat.com/errata/RHSA-2018:3770 https://access.redhat.com/errata/RHSA-2018:3771 https://access.redhat.com/errata/RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3773 https://bugzilla.redhat.com/show& • CWE-532: Insertion of Sensitive Information into Log File •