CVE-2019-14858

low-risk

Published 2019-10-14

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (2)

Ansible Engine

Ansible Tower

Affected Vendors

Redhat

References (16)

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

https://access.redhat.com/errata/RHSA-2019:3201

https://access.redhat.com/errata/RHSA-2019:3202

https://access.redhat.com/errata/RHSA-2019:3203

https://access.redhat.com/errata/RHSA-2019:3207

https://access.redhat.com/errata/RHSA-2020:0756

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

https://access.redhat.com/errata/RHSA-2019:3201

https://access.redhat.com/errata/RHSA-2019:3202

https://access.redhat.com/errata/RHSA-2019:3203

https://access.redhat.com/errata/RHSA-2019:3207

https://access.redhat.com/errata/RHSA-2020:0756

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low