CVE-2019-14858

Summary

CVE	CVE-2019-14858
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-10-14 15:15:00 UTC
Updated	2019-10-24 23:15:00 UTC
Description	A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Risk And Classification

Problem Types: CWE-532

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Ansible Engine	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	access.redhat.com
[security-announce] openSUSE-SU-2020:0513-1: moderate: Security update f	SUSE	lists.opensuse.org
[security-announce] openSUSE-SU-2020:0523-1: moderate: Security update f	SUSE	lists.opensuse.org
1760593 – (CVE-2019-14858) CVE-2019-14858 ansible: sub parameters marked as no_log are not masked in certain failure scenarios	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

500005 Alpine Linux Security Update for ansible
501346 Alpine Linux Security Update for ansible-base