Miggo Logo

CVE-2019-14864: Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.77585%
Published
2/26/2020
Updated
9/4/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 2.7.0a1, < 2.7.152.7.15
ansiblepip>= 2.8.0a1, < 2.8.72.8.7
ansiblepip>= 2.9.0a1, < 2.9.12.9.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the callback plugins' failure to sanitize the 'args' field in task data. The GitHub patch (75288a8) explicitly removes 'args' from result._task_fields in both Splunk and Sumologic plugins' send_event methods. Prior to this fix, these functions included raw task arguments in logs sent to external collectors, even when no_log=True was configured. The issue reproduction in #63522 demonstrates that 'args' contained unredacted sensitive data, confirming these functions as the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*nsi*l*, v*rsions *.*.x ***or* *.*.*, *.*.x ***or* *.*.* *n* *nsi*l* v*rsions *.*.x ***or* *.*.**, is not r*sp**tin* t** *l** no_lo* s*t it to Tru* w**n Sumolo*i* *n* Splunk **ll***k plu*ins *r* us** s*n* t*sks r*sults *v*nts to *oll**tors. T*is woul

Reasoning

T** vuln*r**ility st*ms *rom t** **ll***k plu*ins' **ilur* to s*nitiz* t** '*r*s' *i*l* in t*sk **t*. T** *it*u* p*t** (*******) *xpli*itly r*mov*s '*r*s' *rom r*sult._t*sk_*i*l*s in *ot* Splunk *n* Sumolo*i* plu*ins' s*n*_*v*nt m*t*o*s. Prior to t*i