VDB
PYSEC-2020-160
PYSEC-2020-160
PUBLISHED
CVSS 8.699999809265137 HIGH
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | ansible | 2.7.0, 2.8.0, 2.9.0 |
Timeline
- Jan 2, 2020 CVE Published
- Nov 8, 2023 CVE Updated
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864 report
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html url
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html url
- https://github.com/advisories/GHSA-3m93-m4q6-mc6v advisory
- https://github.com/ansible/ansible/pull/63527 fix
- https://github.com/ansible/ansible/issues/63522 discussion