{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "Ansible versions 2.9.x before 2.9.1"}, {"status": "affected", "version": "Ansible versions 2.8.x before 2.8.7"}, {"status": "affected", "version": "Ansible versions 2.7.x before 2.7.15"}]}], "descriptions": [{"lang": "en", "value": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-07T14:06:17", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible/ansible/issues/63522"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible/ansible/pull/63527"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-14864", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "Ansible versions 2.9.x before 2.9.1"}, {"version_value": "Ansible versions 2.8.x before 2.8.7"}, {"version_value": "Ansible versions 2.7.x before 2.7.15"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data."}]}, "impact": {"cvss": [[{"vectorString": "5.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-117"}]}, {"description": [{"lang": "eng", "value": "CWE-532"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"}, {"name": "https://github.com/ansible/ansible/issues/63522", "refsource": "MISC", "url": "https://github.com/ansible/ansible/issues/63522"}, {"name": "https://github.com/ansible/ansible/pull/63527", "refsource": "MISC", "url": "https://github.com/ansible/ansible/pull/63527"}, {"name": "openSUSE-SU-2020:0513", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "DSA-4950", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4950"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.116Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible/ansible/issues/63522"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible/ansible/pull/63527"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4950"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14864", "datePublished": "2020-01-02T14:23:56", "dateReserved": "2019-08-10T00:00:00", "dateUpdated": "2024-08-05T00:26:39.116Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "A07CAD2A-F1AB-474D-B7F2-92DA86E2F4AE", "versionEndExcluding": "2.7.15", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "2ACB4513-DE0E-4EB6-91FC-D72D716595AE", "versionEndExcluding": "2.8.7", "versionStartIncluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "D1E0146B-CADF-4EB8-BB92-87926B6FCFF2", "versionEndExcluding": "2.9.1", "versionStartIncluding": "2.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "B31C575C-06D2-4CAF-A5B7-B9469B3ED55F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "516F4E8E-ED2F-4282-9DAB-D8B378F61258", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "7098B44F-56BF-42E3-8831-48D0A8E99EE2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data."}, {"lang": "es", "value": "Ansible, versiones 2.9.x anteriores a la versi\u00f3n 2.9.1, versiones 2.8.x anteriores a la versi\u00f3n 2.8.7 y Ansible versiones 2.7.x anteriores a la versi\u00f3n 2.7.15, no respeta el flag no_log, configurado en True cuando los plugins de devoluci\u00f3n de llamada Sumologic y Splunk son usados para enviar eventos de resultados de tareas para coleccionistas. Esto revelar\u00eda y recolectar\u00eda cualquier informaci\u00f3n confidencial."}], "id": "CVE-2019-14864", "lastModified": "2022-04-22T19:59:14.133", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-02T15:15:12.303", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/63522"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/ansible/ansible/pull/63527"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}, {"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Abhijeet Kasurde (Red Hat) and Patrick O\u2019Brien (The Trade Desk Inc).", "affected_release": [{"advisory": "RHSA-2019:3925", "cpe": "cpe:/a:redhat:ansible_engine:2.7::el7", "impact": "moderate", "package": "ansible-0:2.7.15-1.el7ae", "product_name": "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3926", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "impact": "moderate", "package": "ansible-0:2.8.7-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3926", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "impact": "moderate", "package": "ansible-0:2.8.7-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3927", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7", "impact": "moderate", "package": "ansible-0:2.9.1-1.el7", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3927", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8", "impact": "moderate", "package": "ansible-0:2.9.1-1.el8", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3928", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "impact": "moderate", "package": "ansible-0:2.9.1-1.el7", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3928", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "impact": "moderate", "package": "ansible-0:2.9.1-1.el8", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2019-11-20T00:00:00Z"}], "bugzilla": {"description": "Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs", "id": "1764148", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764148"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-117->CWE-532", "details": ["Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.", "A data disclosure flaw was found in Ansible when using the Splunk and Sumologic modules, as they are not respecting when the flag no_log is enabled. This flaw can disclose and collect sensitive data from the system and expose it to an attacker."], "name": "CVE-2019-14864", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "ansible", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2019-10-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14864\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14864"], "statement": "* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat OpenStack Platform (RHOSP) does not use Sumo Logic or Splunk, Red Hat will not be providing a fix for RHOSP Ansible at this time.\n* Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.\n* Ansible Tower\u2019s Splunk logging integration uses the Splunk HTTP Collector and Ansible Engine.\n* The exploitation of this flaw depends on the use of either Sumo Logic or Splunk callback plugins. However, because Red Hat Satellite 6.4 and 6.5 do not use Sumo Logic or Splunk, Red Hat will not be providing a fix for Satellite 6.4 and 6.5 and Ansible at this time. Users may upgrade to Satellite 6.6 or later which includes the resolution to this bug if desired.", "threat_severity": "Moderate", "upstream_fix": "ansible-engine 2.9.1, ansible-engine 2.8.7, ansible-engine 2.7.15"}