Inclusion of Sensitive Information in Log Files - CVE-2019-14846
Published: October 8, 2019 / Updated: August 4, 2020
Vulnerability identifier: #VU33354
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-14846
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability allows a local authenticated user to execute arbitrary code.
Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
How to mitigate CVE-2019-14846
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3202
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2019:3207
- https://access.redhat.com/errata/RHSA-2020:0756
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
- https://github.com/ansible/ansible/pull/63366