CVE-2019-14856

ansible: Incomplete fix for CVE-2019-10206

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None

ansible versiones anteriores a 2.8.6, 2.7.14, 2.6.20 es vulnerable a un None

The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.

Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. An incomplete fix for CVE-2019-10206 and a secret disclosure issue were both addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-10 CVE Reserved
2019-10-24 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html	2021-08-04
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html	2021-08-04
https://access.redhat.com/errata/RHSA-2020:0756	2021-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856	2021-08-04
https://access.redhat.com/security/cve/CVE-2019-14856	2020-03-10
https://bugzilla.redhat.com/show_bug.cgi?id=1760829	2020-03-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Ansible Search vendor "Redhat" for product "Ansible"				>= 2.6.0 < 2.6.20 Search vendor "Redhat" for product "Ansible" and version " >= 2.6.0 < 2.6.20"		-		Affected
Redhat Search vendor "Redhat"		Ansible Search vendor "Redhat" for product "Ansible"				>= 2.7.0 < 2.7.14 Search vendor "Redhat" for product "Ansible" and version " >= 2.7.0 < 2.7.14"		-		Affected
Redhat Search vendor "Redhat"		Ansible Search vendor "Redhat" for product "Ansible"				>= 2.8.0 < 2.8.6 Search vendor "Redhat" for product "Ansible" and version " >= 2.8.0 < 2.8.6"		-		Affected
Opensuse Search vendor "Opensuse"		Backports Sle Search vendor "Opensuse" for product "Backports Sle"				15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0"		sp1		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Redhat Search vendor "Redhat"		Openstack Search vendor "Redhat" for product "Openstack"				13 Search vendor "Redhat" for product "Openstack" and version "13"		-		Affected