Moderate severityNVD Advisory· Published Jan 2, 2020· Updated Aug 5, 2024
CVE-2019-14864
CVE-2019-14864
Description
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.7.0a1, < 2.7.15 | 2.7.15 |
ansiblePyPI | >= 2.8.0a1, < 2.8.7 | 2.8.7 |
ansiblePyPI | >= 2.9.0a1, < 2.9.1 | 2.9.1 |
Affected products
1Patches
475288a89d005Callback: removing args from task_fields from Sumologic and Splunk plugin(#63527) (#64748)
3 files changed · +8 −0
changelogs/fragments/63522-remove-args-from-sumologic-and-splunk-callbacks.yml+2 −0 added@@ -0,0 +1,2 @@ +bugfixes: + - '**security issue** - Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)'
lib/ansible/plugins/callback/splunk.py+3 −0 modified@@ -98,6 +98,9 @@ def send_event(self, url, authtoken, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
lib/ansible/plugins/callback/sumologic.py+3 −0 modified@@ -89,6 +89,9 @@ def send_event(self, url, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
050f92f96054[2.8] Callback: removing args from task_fields from Sumologic and Splunk plugin (#64273)
3 files changed · +8 −0
changelogs/fragments/63522-remove-args-from-sumologic-and-splunk-callbacks.yml+2 −0 added@@ -0,0 +1,2 @@ +bugfixes: + - '**security issue** - Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)'
lib/ansible/plugins/callback/splunk.py+3 −0 modified@@ -98,6 +98,9 @@ def send_event(self, url, authtoken, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
lib/ansible/plugins/callback/sumologic.py+3 −0 modified@@ -89,6 +89,9 @@ def send_event(self, url, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
a0ec2976b271[2.9] Callback: removing args from task_fields from Sumologic and Splunk plugin (#64274)
3 files changed · +8 −0
changelogs/fragments/63522-remove-args-from-sumologic-and-splunk-callbacks.yml+2 −0 added@@ -0,0 +1,2 @@ +bugfixes: + - '**security issue** - Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)'
lib/ansible/plugins/callback/splunk.py+3 −0 modified@@ -98,6 +98,9 @@ def send_event(self, url, authtoken, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
lib/ansible/plugins/callback/sumologic.py+3 −0 modified@@ -89,6 +89,9 @@ def send_event(self, url, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
c76e074e4c71Callback: removing args from task_fields from Sumologic and Splunk plugin(#63527)
3 files changed · +8 −0
changelogs/fragments/63522-remove-args-from-sumologic-and-splunk-callbacks.yml+2 −0 added@@ -0,0 +1,2 @@ +bugfixes: + - '**security issue** - Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs (CVE-2019-14864)'
lib/ansible/plugins/callback/splunk.py+3 −0 modified@@ -98,6 +98,9 @@ def send_event(self, url, authtoken, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
lib/ansible/plugins/callback/sumologic.py+3 −0 modified@@ -89,6 +89,9 @@ def send_event(self, url, state, result, runtime): else: ansible_role = None + if 'args' in result._task_fields: + del result._task_fields['args'] + data = {} data['uuid'] = result._task._uuid data['session'] = self.session
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-3m93-m4q6-mc6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14864ghsaADVISORY
- www.debian.org/security/2021/dsa-4950ghsavendor-advisoryx_refsource_DEBIANWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/commit/050f92f96054bf59e283fdec9972323c2ed00348ghsaWEB
- github.com/ansible/ansible/commit/75288a89d0053d6df35c90863fb6c9542d89850eghsaWEB
- github.com/ansible/ansible/commit/a0ec2976b2716cdecdd7a8f416d96406acd79b7cghsaWEB
- github.com/ansible/ansible/commit/c76e074e4c71c7621a1ca8159261c1959b5287afghsaWEB
- github.com/ansible/ansible/issues/63522ghsax_refsource_MISCWEB
- github.com/ansible/ansible/pull/63527ghsax_refsource_MISCWEB
- github.com/ansible/ansible/pull/64273ghsaWEB
- github.com/ansible/ansible/pull/64274ghsaWEB
- github.com/ansible/ansible/pull/64748ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-160.yamlghsaWEB
News mentions
0No linked articles in our index yet.