—

PYSEC-2020-160

Details

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 2.7.0 Fixed in: 2.7.15

Fix pip install --upgrade 'ansible>=2.7.15'

References

https://github.com/ansible/ansible/pull/63527 [WEB]
https://github.com/ansible/ansible/issues/63522 [REPORT]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864 [REPORT]
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html [WEB]
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html [WEB]
https://github.com/advisories/GHSA-3m93-m4q6-mc6v [ADVISORY]