CVE-2019-14864

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Database specific

{
    "unresolved_ranges": [
        {
            "cpe": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "15.0-sp1"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "3.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "3.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "5.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "15.1"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "6.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "7.0"
                }
            ]
        },
        {
            "cpe": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "8.0"
                }
            ]
        }
    ]
}

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type

GIT

Repo

https://github.com/ansible/ansible

Events

Introduced

0a07068054090d5b78b27496aa251be74c484b45

Fixed

0623dedf2d9c4afc09e5be30d3ef249f9d1ebece

Introduced

2611867fd1dc387ceaa0ffb8ce0f030aafc2a859

Fixed

24220a618a6d5cd3b5c99f8c7f7771661ed08d33

Introduced

24325a05dfb9104d6d4ec8b488b89e07c2e6d376

Fixed

6c051b0241b27ea884722d1e822cd2eec3a919a0

Database specific

{
    "cpe": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.15"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.7"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.1"
        }
    ]
}

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-14864.json"