{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "all ansible_engine-2.x and ansible_engine-3.x up to ansible_engine-3.5"}]}], "descriptions": [{"lang": "en", "value": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-07T14:06:36.000Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible/pull/63366"}, {"name": "RHSA-2019:3203", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3203"}, {"name": "RHSA-2019:3202", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3202"}, {"name": "RHSA-2019:3207", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3207"}, {"name": "RHSA-2019:3201", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3201"}, {"name": "RHSA-2020:0756", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0756"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"}, {"name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-14846", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "all ansible_engine-2.x and ansible_engine-3.x up to ansible_engine-3.5"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process."}]}, "impact": {"cvss": [[{"vectorString": "7.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-117"}]}, {"description": [{"lang": "eng", "value": "CWE-532"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"}, {"name": "https://github.com/ansible/ansible/pull/63366", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible/pull/63366"}, {"name": "RHSA-2019:3203", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3203"}, {"name": "RHSA-2019:3202", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3202"}, {"name": "RHSA-2019:3207", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3207"}, {"name": "RHSA-2019:3201", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3201"}, {"name": "RHSA-2020:0756", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0756"}, {"name": "openSUSE-SU-2020:0513", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"}, {"name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"}, {"name": "DSA-4950", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4950"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.176Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible/pull/63366"}, {"name": "RHSA-2019:3203", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3203"}, {"name": "RHSA-2019:3202", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3202"}, {"name": "RHSA-2019:3207", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3207"}, {"name": "RHSA-2019:3201", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3201"}, {"name": "RHSA-2020:0756", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0756"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"name": "[debian-lts-announce] 20200505 [SECURITY] [DLA 2202-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"}, {"name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4950"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-14846", "datePublished": "2019-10-08T18:44:09.000Z", "dateReserved": "2019-08-10T00:00:00.000Z", "dateUpdated": "2024-08-05T00:26:39.176Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "07DA4289-FB39-4AE8-AD1D-723C274E6E62", "versionEndExcluding": "2.6.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C993B5F-1D91-4896-8986-1DC8057205A2", "versionEndExcluding": "2.7.14", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "92DA252C-496A-4006-9D48-A4AF30459F95", "versionEndExcluding": "2.8.6", "versionStartIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8989CD03-49A1-4831-BF98-9F21592788BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "8875E85C-22EB-4950-BDC0-D34488D87863", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0FEFCDD-A212-4525-B449-2C4A00A0D2E9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process."}, {"lang": "es", "value": "En Ansible, todas las versiones de Ansible Engine hasta ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, se registraban en el nivel DEBUG, lo que conlleva a la divulgaci\u00f3n de credenciales si un plugin us\u00f3 una biblioteca que registraba credenciales en el nivel DEBUG. Este defecto no afecta a los m\u00f3dulos de Ansible, ya que son ejecutados en un proceso separado."}], "id": "CVE-2019-14846", "lastModified": "2024-11-21T04:27:29.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-08T19:15:10.400", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3201"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3202"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3203"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3207"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0756"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/pull/63366"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3201"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3202"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3203"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3207"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0756"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/pull/63366"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}, {"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Harvey Rendell (Pushpay Site Reliability Engineering), Paul Milbank (Pushpay Site Reliability Engineering), and Tom Henderson (Pushpay Site Reliability Engineering) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2019:3201", "cpe": "cpe:/a:redhat:ansible_engine:2.6::el7", "package": "ansible-0:2.6.20-1.el7ae", "product_name": "Red Hat Ansible Engine 2.6 for RHEL 7", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2019:3202", "cpe": "cpe:/a:redhat:ansible_engine:2.7::el7", "package": "ansible-0:2.7.14-1.el7ae", "product_name": "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2019:3203", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "package": "ansible-0:2.8.6-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2019:3203", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "package": "ansible-0:2.8.6-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2019:3207", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.8.6-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2019:3207", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.8.6-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2019-10-24T00:00:00Z"}, {"advisory": "RHSA-2020:0756", "cpe": "cpe:/a:redhat:openstack:13::el7", "impact": "moderate", "package": "ansible-0:2.6.20-1.el7ae", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2020-03-10T00:00:00Z"}, {"advisory": "RHSA-2020:0756", "cpe": "cpe:/a:redhat:openstack:13::el7", "impact": "moderate", "package": "ansible-0:2.6.20-1.el7ae", "product_name": "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS", "release_date": "2020-03-10T00:00:00Z"}], "bugzilla": {"description": "ansible: secrets disclosed on logs when no_log enabled", "id": "1755373", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1755373"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-117->CWE-532", "details": ["In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.", "Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2019-14846", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "impact": "moderate", "package_name": "ansible", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2019-10-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14846\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14846"], "statement": "Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.", "threat_severity": "Important"}

{}