CVE-2019-14846

ansible: secrets disclosed on logs when no_log enabled

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

En Ansible, todas las versiones de Ansible Engine hasta ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, se registraban en el nivel DEBUG, lo que conlleva a la divulgación de credenciales si un plugin usó una biblioteca que registraba credenciales en el nivel DEBUG. Este defecto no afecta a los módulos de Ansible, ya que son ejecutados en un proceso separado.

Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

It was discovered that Ansible did not properly verify certain fields of X.509 certificates. An attacker could possibly use this issue to spoof SSL servers if they were able to intercept network communications. This issue only affected Ubuntu 14.04 LTS. Martin Carpenter discovered that certain connection plugins for Ansible did not properly restrict users. An attacker with local access could possibly use this issue to escape a restricted environment via symbolic links misuse. This issue only affected Ubuntu 14.04 LTS.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-10 CVE Reserved
2019-10-08 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-117: Improper Output Neutralization for Logs
CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (14)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/ansible/ansible/pull/63366	2022-04-22

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html	2022-04-22
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html	2022-04-22
https://access.redhat.com/errata/RHSA-2019:3201	2022-04-22
https://access.redhat.com/errata/RHSA-2019:3202	2022-04-22
https://access.redhat.com/errata/RHSA-2019:3203	2022-04-22
https://access.redhat.com/errata/RHSA-2019:3207	2022-04-22
https://access.redhat.com/errata/RHSA-2020:0756	2022-04-22
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846	2022-04-22
https://www.debian.org/security/2021/dsa-4950	2022-04-22
https://access.redhat.com/security/cve/CVE-2019-14846	2020-03-10
https://bugzilla.redhat.com/show_bug.cgi?id=1755373	2020-03-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"	Ansible Engine Search vendor "Redhat" for product "Ansible Engine"	2.0 Search vendor "Redhat" for product "Ansible Engine" and version "2.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Ansible Engine Search vendor "Redhat" for product "Ansible Engine"	2.0 Search vendor "Redhat" for product "Ansible Engine" and version "2.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	8.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"	Ansible Engine Search vendor "Redhat" for product "Ansible Engine"	2.8.0 Search vendor "Redhat" for product "Ansible Engine" and version "2.8.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"	-	Safe
Redhat Search vendor "Redhat"	Ansible Engine Search vendor "Redhat" for product "Ansible Engine"	2.8.0 Search vendor "Redhat" for product "Ansible Engine" and version "2.8.0"	-	Affected	in	Redhat Search vendor "Redhat"	Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"	8.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "8.0"	-	Safe
Redhat Search vendor "Redhat"		Ansible Engine Search vendor "Redhat" for product "Ansible Engine"				< 2.6.20 Search vendor "Redhat" for product "Ansible Engine" and version " < 2.6.20"		-		Affected
Redhat Search vendor "Redhat"		Ansible Engine Search vendor "Redhat" for product "Ansible Engine"				>= 2.7.0 < 2.7.14 Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.7.0 < 2.7.14"		-		Affected
Redhat Search vendor "Redhat"		Ansible Engine Search vendor "Redhat" for product "Ansible Engine"				>= 2.8.0 < 2.8.6 Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.8.0 < 2.8.6"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Backports Sle Search vendor "Opensuse" for product "Backports Sle"				15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0"		sp1		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				13 Search vendor "Redhat" for product "Openstack" and version "13"		-		Affected