Miggo Logo

CVE-2019-14846: Ansible Uses Plugins That Disclose Credentials

7.8

CVSS Score
3.1

Basic Information

EPSS Score
0.25927%
Published
5/24/2022
Updated
9/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 0, < 2.6.202.6.20
ansiblepip>= 2.7.0a1, < 2.7.142.7.14
ansiblepip>= 2.8.0a1, < 2.8.62.8.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Ansible's logging configuration setting the global log level to DEBUG when LOG_PATH was enabled. This caused libraries like boto3 (used by AWS plugins) to log credentials at DEBUG level. The critical change in the patch was modifying the logging level from DEBUG to INFO in lib/ansible/utils/display.py, specifically in the Display.filter method. This function's DEBUG-level configuration directly enabled credential leakage through third-party library logging behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nsi*l*, *ll *nsi*l*_*n*in*-*.x v*rsions *n* *nsi*l*_*n*in*-*.x up to *nsi*l*_*n*in*-*.*, w*s lo**in* *t t** ***U* l*v*l w*i** l*** to * *is*losur* o* *r***nti*ls i* * plu*in us** * li*r*ry t**t lo**** *r***nti*ls *t t** ***U* l*v*l. T*is *l*w *o*s n

Reasoning

T** vuln*r**ility st*mm** *rom *nsi*l*'s lo**in* *on*i*ur*tion s*ttin* t** *lo**l lo* l*v*l to ***U* w**n `LO*_P*T*` w*s *n**l**. T*is **us** li*r*ri*s lik* `*oto*` (us** *y *WS plu*ins) to lo* *r***nti*ls *t ***U* l*v*l. T** *riti**l ***n** in t** p