7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14846

GHSA ID

GHSA-pm48-cvv2-29q5

EPSS Score

0.25927%

CWE

CWE-117

Published

5/24/2022

Updated

9/9/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14846

CVE-2019-14846: Ansible Uses Plugins That Disclose Credentials

Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14846

GHSA ID

GHSA-pm48-cvv2-29q5

EPSS Score

0.25927%

CWE

CWE-117

Published

5/24/2022

Updated

9/9/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ansible	pip	>= 0, < 2.6.20	2.6.20
ansible	pip	>= 2.7.0a1, < 2.7.14	2.7.14
ansible	pip	>= 2.8.0a1, < 2.8.6	2.8.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Ansible's logging configuration setting the global log level to DEBUG when LOG_PATH was enabled. This caused libraries like boto3 (used by AWS plugins) to log credentials at DEBUG level. The critical change in the patch was modifying the logging level from DEBUG to INFO in lib/ansible/utils/display.py, specifically in the Display.filter method. This function's DEBUG-level configuration directly enabled credential leakage through third-party library logging behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nsi*l*, *ll *nsi*l*_*n*in*-*.x v*rsions *n* *nsi*l*_*n*in*-*.x up to *nsi*l*_*n*in*-*.*, w*s lo**in* *t t** ***U* l*v*l w*i** l*** to * *is*losur* o* *r***nti*ls i* * plu*in us** * li*r*ry t**t lo**** *r***nti*ls *t t** ***U* l*v*l. T*is *l*w *o*s n

Reasoning

T** vuln*r**ility st*mm** *rom *nsi*l*'s lo**in* *on*i*ur*tion s*ttin* t** *lo**l lo* l*v*l to ***U* w**n `LO*_P*T*` w*s *n**l**. T*is **us** li*r*ri*s lik* `*oto*` (us** *y *WS plu*ins) to lo* *r***nti*ls *t ***U* l*v*l. T** *riti**l ***n** in t** p

7.8

Basic Information

Concerned about an active attack path?

CVE-2019-14846: Ansible Uses Plugins That Disclose Credentials

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI