CVE-2019-14858
information disclosure vulnerability in ansible (PyPI)
What is CVE-2019-14858 About?
This information disclosure vulnerability in Ansible Engine and Tower exposes `no_log`-protected sub-parameters. If an invalid parameter name is passed to a module, the `no_log` directives for sub-parameters are bypassed during task failure, revealing sensitive data with increased verbosity. Exploitation requires crafting specific invalid module parameters and observing verbose output.
Affected Software
- ansible
- >=2.0, <2.8.1
- >=2.7.0a1, <2.7.14
- >=2.8.0a1, <2.8.6
- >=2.9.0a1, <2.9.0rc4
- >=2.0, <2.6.20
Technical Details
The vulnerability affects Ansible engine 2.x up to 2.8 and Ansible Tower 3.x up to 3.5. It occurs when a module has an argument_spec defined with sub-parameters marked as no_log to prevent their values from being logged. However, if an attacker passes an invalid parameter name directly to the module, the task will fail before the no_log processing for the sub-parameters can occur. Consequently, if Ansible is run with increased verbosity (e.g., -vvv), the sensitive data within these sub-parameter fields will not be masked and will be displayed in the module invocation arguments for the failed task, leading to information disclosure.
What is the Impact of CVE-2019-14858?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information (e.g., credentials, API keys) stored in `no_log`-protected sub-parameters, leading to compromise of confidential data.
What is the Exploitability of CVE-2019-14858?
Exploitation of this vulnerability is of moderate complexity. It requires an understanding of the module's argument_spec and the ability to intentionally provide an invalid top-level parameter to trigger the failure condition before no_log processing. No specific authentication is required to exploit the flaw once data is exposed, but the attacker needs to have access to the output of an Ansible run that was executed with increased verbosity. This is typically a local access issue to the log files or the terminal output. The risk of exploitation increases if Ansible is frequently run with high verbosity and modules contain no_log protected sensitive sub-parameters, especially in environments where output is not properly secured.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14858?
Available Upgrade Options
- ansible
- >=2.0, <2.6.20 → Upgrade to 2.6.20
- ansible
- >=2.7.0a1, <2.7.14 → Upgrade to 2.7.14
- ansible
- >=2.0, <2.8.1 → Upgrade to 2.8.1
- ansible
- >=2.8.0a1, <2.8.6 → Upgrade to 2.8.6
- ansible
- >=2.9.0a1, <2.9.0rc4 → Upgrade to 2.9.0rc4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/PYSEC-2019-171
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14858
- https://access.redhat.com/errata/RHSA-2019:3202
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- https://github.com/ansible/ansible
- https://nvd.nist.gov/vuln/detail/CVE-2019-14858
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-171.yaml
- https://access.redhat.com/errata/RHSA-2019:3201
- https://access.redhat.com/errata/RHSA-2019:3203
- https://access.redhat.com/errata/RHSA-2019:3202
What are Similar Vulnerabilities to CVE-2019-14858?
Similar Vulnerabilities: CVE-2018-10855 , PYSEC-2019-74 , CVE-2020-1739 , CVE-2020-14332 , CVE-2021-3620
