CVE-2019-14846
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2019-14846 About?
This information disclosure vulnerability in Ansible Engine allows for the logging of credentials at the DEBUG level. If a third-party plugin logs sensitive data inadvertently, those credentials can be exposed in log files. Exploiting this is straightforward if an attacker has access to system logs and a vulnerable plugin is in use.
Affected Software
- ansible
- <2.6.20
- >=2.7.0a1, <2.7.14
- >=2.8.0a1, <2.8.6
Technical Details
Versions of Ansible Engine up to 2.8.5, 2.7.13, and 2.6.19 exhibited an information disclosure vulnerability related to logging. Specifically, when Ansible Engine performed logging at the DEBUG level, if a third-party plugin utilized a library that itself logs credentials (or other sensitive information) at the DEBUG level, these credentials would be written into the Ansible log files. This flaw does not originate from Ansible modules directly, as those operate in separate processes, but rather from plugins integrated within the Ansible Engine's execution context. An attacker gaining access to these logs would then be privy to sensitive authentication data.
What is the Impact of CVE-2019-14846?
Successful exploitation may allow attackers to disclose sensitive information, such as credentials, leading to unauthorized access, privilege escalation, or further compromise of the system.
What is the Exploitability of CVE-2019-14846?
Exploitation relies on the presence of a plugin that logs credentials at the DEBUG level and typically requires local access to the system where Ansible logs are stored. No specific authentication is required to trigger the logging, but access to read the logs is essential for exploitation. The complexity is low if such a plugin is in use. The risk is elevated in environments where DEBUG logging is frequently enabled, especially in production, and where log files are not adequately secured or rotated. Remote exploitation would only be possible if log files are accessible over a network without proper authentication, which is generally a misconfiguration rather than a direct vulnerability feature.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14846?
Available Upgrade Options
- ansible
- <2.6.20 → Upgrade to 2.6.20
- ansible
- >=2.7.0a1, <2.7.14 → Upgrade to 2.7.14
- ansible
- >=2.8.0a1, <2.8.6 → Upgrade to 2.8.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034
- https://access.redhat.com/errata/RHSA-2019:3202
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- https://github.com/ansible/ansible
- https://access.redhat.com/errata/RHSA-2019:3201
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://www.debian.org/security/2021/dsa-4950
- https://access.redhat.com/errata/RHSA-2019:3203
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml
What are Similar Vulnerabilities to CVE-2019-14846?
Similar Vulnerabilities: CVE-2020-1753 , CVE-2021-3620 , CVE-2020-14330 , CVE-2020-1733
