6.5

CVE-2019-14864

Exploit
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatAnsible Version >= 2.7.0 < 2.7.15
RedhatAnsible Version >= 2.8.0 < 2.8.7
RedhatAnsible Version >= 2.9.0 < 2.9.1
RedhatAnsible Tower Version3.0
RedhatCeph Storage Version3.0
RedhatEnterprise Linux Version6.0
RedhatEnterprise Linux Version7.0
RedhatEnterprise Linux Version8.0
DebianDebian Linux Version10.0
OpensuseBackports Sle Version15.0 Updatesp1
OpensuseLeap Version15.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.86% 0.764
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
secalert@redhat.com 5.7 2.1 3.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-117 Improper Output Neutralization for Logs

The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

CWE-532 Insertion of Sensitive Information into Log File

The product writes sensitive information to a log file.

https://www.debian.org/security/2021/dsa-4950
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
Patch
Vendor Advisory
Issue Tracking
https://github.com/ansible/ansible/issues/63522
Patch
Third Party Advisory
Exploit
https://github.com/ansible/ansible/pull/63527
Patch
Vendor Advisory