Headline
CVE-2019-14846: secrets disclosed on logs when no_log enabled
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
Description Borja Tarraso 2019-09-25 11:33:47 UTC
Secrets are disclosed on logs due to display is hardcoded to DEBUG level. This causes 'no_log’ parameter is ignored on tasks.
Comment 4 Borja Tarraso 2019-10-08 07:18:26 UTC
Acknowledgments:
Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering)
Comment 5 Salvatore Bonaccorso 2019-10-09 13:10:59 UTC
Hi
Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE.
Regards, Salvatore
Comment 14 Hardik Vyas 2019-11-06 05:14:11 UTC
Statement:
Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.
Comment 24 Yadnyawalk Tale 2020-04-22 10:21:56 UTC
Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship `ansible` package, it is provided by the official Ansible repository.