CVE-2019-14864

2020-01-0214:23:56

CWE-532

CWE-117

redhat

www.cve.org

5.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.4%

JSON

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

CNA Affected

[
  {
    "product": "Ansible",
    "vendor": "Red Hat",
    "versions": [
      {
        "status": "affected",
        "version": "Ansible versions 2.9.x before 2.9.1"
      },
      {
        "status": "affected",
        "version": "Ansible versions 2.8.x before 2.8.7"
      },
      {
        "status": "affected",
        "version": "Ansible versions 2.7.x before 2.7.15"
      }
    ]
  }
]