CVE-2019-14864: Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.77585%
CWE
Published
2/26/2020
Updated
9/4/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | >= 2.7.0a1, < 2.7.15 | 2.7.15 |
ansible | pip | >= 2.8.0a1, < 2.8.7 | 2.8.7 |
ansible | pip | >= 2.9.0a1, < 2.9.1 | 2.9.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the callback plugins' failure to sanitize the 'args' field in task data. The GitHub patch (75288a8) explicitly removes 'args' from result._task_fields in both Splunk and Sumologic plugins' send_event methods. Prior to this fix, these functions included raw task arguments in logs sent to external collectors, even when no_log=True was configured. The issue reproduction in #63522 demonstrates that 'args' contained unredacted sensitive data, confirming these functions as the vulnerability source.