High severityNVD Advisory· Published Oct 8, 2019· Updated Aug 5, 2024

CVE-2019-14846

Description

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	< 2.6.20	2.6.20
ansiblePyPI	>= 2.7.0a1, < 2.7.14	2.7.14
ansiblePyPI	>= 2.8.0a1, < 2.8.6	2.8.6

Affected products

Red Hat/Ansiblev5
Range: all ansible_engine-2.x and ansible_engine-3.x up to ansible_engine-3.5

Patches

d961f676c010

Fix for plugins which used the boto libraries leaking the boto credentials to logs

https://github.com/ansible/ansibleToshio KuratomiSep 24, 2019via ghsa

commit

2 files changed · +11 −1

changelogs/fragments/boto-logging-credentials.yml+10 −0 added

@@ -0,0 +1,10 @@
+bugfixes:
+        - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
+          in log files.  inventory/aws_ec2.py, inventory/aws_rds.py,
+          lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
+          boto3 library from the Ansible process. The boto3 library logs credentials at log level
+          DEBUG.  If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
+          set the global log level to DEBUG.  This was inherited by boto and would then log boto
+          credentials to the file specified by LOG_PATH.  This did not affect aws ansible modules
+          as those are executed in a separate process.  This has been fixed by switching to log
+          level INFO"

lib/ansible/utils/display.py+1 −1 modified

@@ -60,7 +60,7 @@ def filter(self, record):
 if getattr(C, 'DEFAULT_LOG_PATH'):
     path = C.DEFAULT_LOG_PATH
     if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK):
-        logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s')
+        logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s')
         mypid = str(os.getpid())
         user = getpass.getuser()
         logger = logging.getLogger("p=%s u=%s | " % (mypid, user))

90e74dd2600e

Fix for plugins which used the boto libraries leaking the boto credentials to logs

https://github.com/ansible/ansibleToshio KuratomiSep 24, 2019via ghsa

commit

2 files changed · +11 −1

changelogs/fragments/boto-logging-credentials.yml+10 −0 added

@@ -0,0 +1,10 @@
+bugfixes:
+        - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
+          in log files.  inventory/aws_ec2.py, inventory/aws_rds.py,
+          lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
+          boto3 library from the Ansible process. The boto3 library logs credentials at log level
+          DEBUG.  If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
+          set the global log level to DEBUG.  This was inherited by boto and would then log boto
+          credentials to the file specified by LOG_PATH.  This did not affect aws ansible modules
+          as those are executed in a separate process.  This has been fixed by switching to log
+          level INFO"

lib/ansible/utils/display.py+1 −1 modified

@@ -60,7 +60,7 @@ def filter(self, record):
 if getattr(C, 'DEFAULT_LOG_PATH'):
     path = C.DEFAULT_LOG_PATH
     if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK):
-        logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s')
+        logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s')
         mypid = str(os.getpid())
         user = getpass.getuser()
         logger = logging.getLogger("p=%s u=%s | " % (mypid, user))

cb0f535a8b25

Fix for plugins which used the boto libraries leaking the boto credentials to logs

https://github.com/ansible/ansibleToshio KuratomiSep 24, 2019via ghsa

commit

2 files changed · +11 −1

changelogs/fragments/boto-logging-credentials.yml+10 −0 added

@@ -0,0 +1,10 @@
+bugfixes:
+        - "**SECURITY** - CVE-2019-14846 - Several Ansible plugins could disclose aws credentials
+          in log files.  inventory/aws_ec2.py, inventory/aws_rds.py,
+          lookup/aws_account_attribute.py, and lookup/aws_secret.py, lookup/aws_ssm.py use the
+          boto3 library from the Ansible process. The boto3 library logs credentials at log level
+          DEBUG.  If Ansible's logging was enabled (by setting LOG_PATH to a value) Ansible would
+          set the global log level to DEBUG.  This was inherited by boto and would then log boto
+          credentials to the file specified by LOG_PATH.  This did not affect aws ansible modules
+          as those are executed in a separate process.  This has been fixed by switching to log
+          level INFO"

lib/ansible/utils/display.py+1 −1 modified

@@ -62,7 +62,7 @@ def filter(self, record):
 if getattr(C, 'DEFAULT_LOG_PATH'):
     path = C.DEFAULT_LOG_PATH
     if path and (os.path.exists(path) and os.access(path, os.W_OK)) or os.access(os.path.dirname(path), os.W_OK):
-        logging.basicConfig(filename=path, level=logging.DEBUG, format='%(asctime)s %(name)s %(message)s')
+        logging.basicConfig(filename=path, level=logging.INFO, format='%(asctime)s %(name)s %(message)s')
         mypid = str(os.getpid())
         user = getpass.getuser()
         logger = logging.getLogger("p=%s u=%s | " % (mypid, user))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlghsavendor-advisoryx_refsource_SUSEWEB
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlghsavendor-advisoryx_refsource_SUSEWEB
access.redhat.com/errata/RHSA-2019:3201ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3202ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3203ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:3207ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2020:0756ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-pm48-cvv2-29q5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-14846ghsaADVISORY
www.debian.org/security/2021/dsa-4950ghsavendor-advisoryx_refsource_DEBIANWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4ghsaWEB
github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034ghsaWEB
github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515bghsaWEB
github.com/ansible/ansible/pull/63366ghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yamlghsaWEB
lists.debian.org/debian-lts-announce/2020/05/msg00005.htmlghsamailing-listx_refsource_MLISTWEB
lists.debian.org/debian-lts-announce/2021/01/msg00023.htmlghsamailing-listx_refsource_MLISTWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000