CVE-2019-14864 vulnerability in Red Hat and Other Products
Published on January 2, 2020

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Types

Improper Output Neutralization for Logs

The software does not neutralize or incorrectly neutralizes output that is written to logs.

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Products Associated with CVE-2019-14864

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-14864 are published in these products:

Red Hat Ansible

Red Hat Ansible Tower

Red Hat Ceph Storage

Red Hat Cloudforms Management Engine

Red Hat Enterprise Linux (RHEL)

Debian Linux

OpenSuse Backports Sle

OpenSuse Leap

Affected Versions

Red Hat Ansible:

Version Ansible versions 2.9.x before 2.9.1 is affected.
Version Ansible versions 2.8.x before 2.8.7 is affected.
Version Ansible versions 2.7.x before 2.7.15 is affected.

Exploit Probability

EPSS

1.01%

Percentile

76.91%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.