CVE-2019-14864
Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Ansible, versiones 2.9.x anteriores a la versión 2.9.1, versiones 2.8.x anteriores a la versión 2.8.7 y Ansible versiones 2.7.x anteriores a la versión 2.7.15, no respeta el flag no_log, configurado en True cuando los plugins de devolución de llamada Sumologic y Splunk son usados para enviar eventos de resultados de tareas para coleccionistas. Esto revelaría y recolectaría cualquier información confidencial.
A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. This flaw can disclose and collect sensitive data from the system and expose it to an attacker.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-08-10 CVE Reserved
- 2019-11-20 CVE Published
- 2024-04-27 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-117: Improper Output Neutralization for Logs
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (8)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ansible/ansible/issues/63522 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864 | 2022-04-22 | |
| https://github.com/ansible/ansible/pull/63527 | 2022-04-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.7.0 < 2.7.15 Search vendor "Redhat" for product "Ansible" and version " >= 2.7.0 < 2.7.15" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.8.0 < 2.8.7 Search vendor "Redhat" for product "Ansible" and version " >= 2.8.0 < 2.8.7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.9.0 < 2.9.1 Search vendor "Redhat" for product "Ansible" and version " >= 2.9.0 < 2.9.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Tower Search vendor "Redhat" for product "Ansible Tower" | 3.0 Search vendor "Redhat" for product "Ansible Tower" and version "3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ceph Storage Search vendor "Redhat" for product "Ceph Storage" | 3.0 Search vendor "Redhat" for product "Ceph Storage" and version "3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Cloudforms Management Engine Search vendor "Redhat" for product "Cloudforms Management Engine" | 5.0 Search vendor "Redhat" for product "Cloudforms Management Engine" and version "5.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Backports Sle Search vendor "Opensuse" for product "Backports Sle" | 15.0 Search vendor "Opensuse" for product "Backports Sle" and version "15.0" | sp1 |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||