Description
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Red Hat / AnsibleAnsible versions 2.9.x before 2.9.1 – Ansible versions 2.9.x before 2.9.1
- Red Hat / AnsibleAnsible versions 2.8.x before 2.8.7 – Ansible versions 2.8.x before 2.8.7
- Red Hat / AnsibleAnsible versions 2.7.x before 2.7.15 – Ansible versions 2.7.x before 2.7.15
References
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
- MISChttps://github.com/ansible/ansible/issues/63522
- PATCHhttps://github.com/ansible/ansible/pull/63527
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- VENDOR_ADVISORYhttps://www.debian.org/security/2021/dsa-4950