Miggo Logo

CVE-2019-14858: Ansible leaks sensitive information to logs when told not to

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.11363%
Published
5/24/2022
Updated
9/10/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 2.9.0a1, < 2.9.0rc42.9.0rc4
ansiblepip>= 2.8.0a1, < 2.8.62.8.6
ansiblepip>= 2.7.0a1, < 2.7.142.7.14
ansiblepip>= 2.0, < 2.6.202.6.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from no_log processing occurring too late in the validation chain. The commit 0fd656e shows critical changes to _handle_no_log_values where subparameter no_log handling was added, and _handle_options had its _handle_no_log_values call removed. These functions in basic.py were directly responsible for the delayed masking of sensitive data when invalid parameters triggered early failures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in *nsi*l* *n*in* *.x up to *.* *n* *nsi*l* tow*r *.x up to *.*. W**n * mo*ul* **s *n *r*um*nt_sp** wit* su* p*r*m*t*rs m*rk** *s `no_lo*`, p*ssin* *n inv*li* p*r*m*t*r n*m* to t** mo*ul* will **us* t** t*sk to **il ***or* t

Reasoning

T** vuln*r**ility st*mm** *rom no_lo* pro**ssin* o**urrin* too l*t* in t** v*li**tion ***in. T** *ommit ******* s*ows *riti**l ***n**s to _**n*l*_no_lo*_v*lu*s w**r* su*p*r*m*t*r no_lo* **n*lin* w*s *****, *n* _**n*l*_options *** its _**n*l*_no_lo*_v