CVE-2019-14858
First published: Thu Oct 10 2019(Updated: )
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as `no_log`, passing an invalid parameter name to the module will cause the task to fail before the `no_log` options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible-engine | <2.6.20 | 2.6.20 |
| redhat/ansible-engine | <2.7.14 | 2.7.14 |
| redhat/ansible-engine | <2.8.6 | 2.8.6 |
| pip/ansible | >=2.0<2.6.20 | 2.6.20 |
| pip/ansible | >=2.7.0a1<2.7.14 | 2.7.14 |
| pip/ansible | >=2.8.0a1<2.8.6 | 2.8.6 |
| pip/ansible | >=2.9.0a1<2.9.0rc4 | 2.9.0rc4 |
| Red Hat Ansible Engine | >=2.0<=2.8.0 | |
| Red Hat Ansible Tower | >=3.0<=3.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3202
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2019:3207
- https://access.redhat.com/errata/RHSA-2020:0756
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858
- https://github.com/ansible/ansible/pull/63405
- https://access.redhat.com/security/cve/cve-2019-14858
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1766409
- https://bugzilla.redhat.com/show_bug.cgi?id=1760593
- https://nvd.nist.gov/vuln/detail/CVE-2019-14858
- https://github.com/advisories/GHSA-h653-95qw-h2mp (Advisory)
- https://github.com/ansible/ansible/commit/0fd656e9964a91f2e8b1e9bbf78c74661ab9d37b
- https://github.com/ansible/ansible/commit/3dfb8e81bb5f776a6b00c7a90dd087e85b71f8bb
- https://github.com/ansible/ansible/commit/87f8d77d70476454f7fe2381bd363a329ce4266c
- https://github.com/ansible/ansible/commit/f610ed3a4eb87eb557200606279796921fa9b722
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-171.yaml
Frequently Asked Questions
What is the severity of CVE-2019-14858?
CVE-2019-14858 has a moderate severity rating due to its potential impact on the confidentiality of sensitive data.
How do I fix CVE-2019-14858?
To fix CVE-2019-14858, update Ansible to version 2.9.0 or later if you are using Ansible Engine, or Ansible Tower to 3.6 or later.
What versions are affected by CVE-2019-14858?
CVE-2019-14858 affects Ansible Engine versions 2.x up to 2.8 and Ansible Tower versions 3.x up to 3.5.
What are the potential risks of CVE-2019-14858?
The potential risks of CVE-2019-14858 include unauthorized data disclosure due to improper handling of module arguments.
Is there a workaround for CVE-2019-14858?
The best workaround for CVE-2019-14858 is to avoid using invalid parameter names in module arguments until a patch is applied.
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14858
- agent/software-canonical-lookup
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h653-95qw-h2mp
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/red hat ansible engine
- version/red hat ansible engine/2.0
- version/red hat ansible engine/2.8.0
- canonical/red hat ansible tower
- version/red hat ansible tower/3.0
- version/red hat ansible tower/3.5.0