CVE-2019-14858: Ansible leaks sensitive information to logs when told not to
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.11363%
CWE
Published
5/24/2022
Updated
9/10/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | >= 2.9.0a1, < 2.9.0rc4 | 2.9.0rc4 |
ansible | pip | >= 2.8.0a1, < 2.8.6 | 2.8.6 |
ansible | pip | >= 2.7.0a1, < 2.7.14 | 2.7.14 |
ansible | pip | >= 2.0, < 2.6.20 | 2.6.20 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from no_log processing occurring too late in the validation chain. The commit 0fd656e shows critical changes to _handle_no_log_values where subparameter no_log handling was added, and _handle_options had its _handle_no_log_values call removed. These functions in basic.py were directly responsible for the delayed masking of sensitive data when invalid parameters triggered early failures.