CVE-2019-14858

Name of the Vulnerable Software and Affected Versions Ansible engine versions 2.x up to 2.8 Ansible tower versions 3.x up to 3.5

Description A vulnerability was found in Ansible engine and Ansible tower. When a module has an argument spec with sub parameters marked as no log, passing an invalid parameter name to the module will cause the task to fail before the no log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.

Recommendations For Ansible engine versions 2.x up to 2.8, consider disabling the use of sub parameters marked as no log until a patch is available. For Ansible tower versions 3.x up to 3.5, restrict access to modules that use no log sub parameters to minimize the risk of exploitation. As a temporary workaround, avoid running Ansible with increased verbosity when using modules with no log sub parameters.