{
  "threat_severity" : "Important",
  "public_date" : "2019-10-08T00:00:00Z",
  "bugzilla" : {
    "description" : "ansible: secrets disclosed on logs when no_log enabled",
    "id" : "1755373",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1755373"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-538",
  "details" : [ "In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.", "Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process." ],
  "statement" : "Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.",
  "acknowledgement" : "Red Hat would like to thank Harvey Rendell (Pushpay Site Reliability Engineering), Paul Milbank (Pushpay Site Reliability Engineering), and Tom Henderson (Pushpay Site Reliability Engineering) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Engine 2.6 for RHEL 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3201",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.6::el7",
    "package" : "ansible-0:2.6.20-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3202",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7",
    "package" : "ansible-0:2.7.14-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3203",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7",
    "package" : "ansible-0:2.8.6-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3203",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8",
    "package" : "ansible-0:2.8.6-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3207",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.8.6-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 8",
    "release_date" : "2019-10-24T00:00:00Z",
    "advisory" : "RHSA-2019:3207",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el8",
    "package" : "ansible-0:2.8.6-1.el8ae"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2020-03-10T00:00:00Z",
    "advisory" : "RHSA-2020:0756",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "ansible-0:2.6.20-1.el7ae",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS",
    "release_date" : "2020-03-10T00:00:00Z",
    "advisory" : "RHSA-2020:0756",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "ansible-0:2.6.20-1.el7ae",
    "impact" : "moderate"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:10",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:14",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:satellite:6",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "moderate"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14846\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14846" ],
  "name" : "CVE-2019-14846",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}