CVE-2019-14856: Ansible password prompts could expose passwords
(updated )
A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.
This CVE exists due to an incomplete fix for CVE-2019-10206.
References
- access.redhat.com/errata/RHSA-2020:0756
- bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856
- github.com/advisories/GHSA-6fq2-x65v-v9h7
- github.com/ansible/ansible
- github.com/ansible/ansible/commit/16684f118715a52e1c46d437652add9ca36423de
- github.com/ansible/ansible/commit/2cbd8775ca1271195169f62122df1f88b532e74f
- github.com/ansible/ansible/commit/40618d70e61af1123907a5fb246cc4fd35f1e5c3
- github.com/ansible/ansible/commit/7f4befdea77045fa83b5f2b304bd5e16b219f74c
- github.com/ansible/ansible/pull/63351
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-146.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-14856
Detect and mitigate CVE-2019-14856 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →