// For flags

CVE-2019-14846

ansible: secrets disclosed on logs when no_log enabled

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

En Ansible, todas las versiones de Ansible Engine hasta ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, se registraban en el nivel DEBUG, lo que conlleva a la divulgación de credenciales si un plugin usó una biblioteca que registraba credenciales en el nivel DEBUG. Este defecto no afecta a los módulos de Ansible, ya que son ejecutados en un proceso separado.

Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-08-10 CVE Reserved
  • 2019-10-08 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-10-01 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-117: Improper Output Neutralization for Logs
  • CWE-532: Insertion of Sensitive Information into Log File
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
2.0
Search vendor "Redhat" for product "Ansible Engine" and version "2.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
2.0
Search vendor "Redhat" for product "Ansible Engine" and version "2.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
8.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "8.0"
-
Safe
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
2.8.0
Search vendor "Redhat" for product "Ansible Engine" and version "2.8.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
2.8.0
Search vendor "Redhat" for product "Ansible Engine" and version "2.8.0"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
8.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "8.0"
-
Safe
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
< 2.6.20
Search vendor "Redhat" for product "Ansible Engine" and version " < 2.6.20"
-
Affected
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
>= 2.7.0 < 2.7.14
Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.7.0 < 2.7.14"
-
Affected
Redhat
Search vendor "Redhat"
Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
>= 2.8.0 < 2.8.6
Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.8.0 < 2.8.6"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Opensuse
Search vendor "Opensuse"
Backports Sle
Search vendor "Opensuse" for product "Backports Sle"
15.0
Search vendor "Opensuse" for product "Backports Sle" and version "15.0"
sp1
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
15.1
Search vendor "Opensuse" for product "Leap" and version "15.1"
-
Affected
Redhat
Search vendor "Redhat"
Openstack
Search vendor "Redhat" for product "Openstack"
13
Search vendor "Redhat" for product "Openstack" and version "13"
-
Affected