6.5
CVE-2019-14864
- EPSS 1.86%
- Veröffentlicht 02.01.2020 15:15:12
- Zuletzt bearbeitet 21.11.2024 04:27:31
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Ansible Tower Version3.0
Redhat ≫ Ceph Storage Version3.0
Redhat ≫ Cloudforms Management Engine Version5.0
Redhat ≫ Enterprise Linux Version6.0
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
Debian ≫ Debian Linux Version10.0
Opensuse ≫ Backports Sle Version15.0 Updatesp1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.86% | 0.764 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| secalert@redhat.com | 5.7 | 2.1 | 3.6 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
|
CWE-117 Improper Output Neutralization for Logs
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
CWE-532 Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
https://www.debian.org/security/2021/dsa-4950
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
https://github.com/ansible/ansible/issues/63522
https://github.com/ansible/ansible/pull/63527