5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14858

GHSA ID

GHSA-h653-95qw-h2mp

EPSS Score

0.11363%

CWE

CWE-532

Published

5/24/2022

Updated

9/10/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14858

CVE-2019-14858: Ansible leaks sensitive information to logs when told not to

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

(GitHub Advisory)

5.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-14858

GHSA ID

GHSA-h653-95qw-h2mp

EPSS Score

0.11363%

CWE

CWE-532

Published

5/24/2022

Updated

9/10/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ansible	pip	>= 2.9.0a1, < 2.9.0rc4	2.9.0rc4
ansible	pip	>= 2.8.0a1, < 2.8.6	2.8.6
ansible	pip	>= 2.7.0a1, < 2.7.14	2.7.14
ansible	pip	>= 2.0, < 2.6.20	2.6.20

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from no_log processing occurring too late in the validation chain. The commit 0fd656e shows critical changes to _handle_no_log_values where subparameter no_log handling was added, and _handle_options had its _handle_no_log_values call removed. These functions in basic.py were directly responsible for the delayed masking of sensitive data when invalid parameters triggered early failures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *nsi*l* *n*in* *.x up to *.* *n* *nsi*l* tow*r *.x up to *.*. W**n * mo*ul* **s *n *r*um*nt_sp** wit* su* p*r*m*t*rs m*rk** *s `no_lo*`, p*ssin* *n inv*li* p*r*m*t*r n*m* to t** mo*ul* will **us* t** t*sk to **il ***or* t

Reasoning

T** vuln*r**ility st*mm** *rom no_lo* pro**ssin* o**urrin* too l*t* in t** v*li**tion ***in. T** *ommit ******* s*ows *riti**l ***n**s to _**n*l*_no_lo*_v*lu*s w**r* su*p*r*m*t*r no_lo* **n*lin* w*s *****, *n* _**n*l*_options *** its _**n*l*_no_lo*_v

5.5

Basic Information

Concerned about an active attack path?

CVE-2019-14858: Ansible leaks sensitive information to logs when told not to

5.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI