Source: ansible Version: 2.8.3+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/ansible/ansible/pull/63405 Control: found -1 2.7.8+dfsg-1 Control: found -1 2.7.7+dfsg-1
Hi, The following vulnerability was published for ansible. CVE-2019-14858[0]: | A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible | tower 3.x up to 3.5. When a module has an argument_spec with sub | parameters marked as no_log, passing an invalid parameter name to the | module will cause the task to fail before the no_log options in the | sub parameters are processed. As a result, data in the sub parameter | fields will not be masked and will be displayed if Ansible is run with | increased verbosity and present in the module invocation arguments for | the task. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14858 [1] https://github.com/ansible/ansible/pull/63405 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1760593 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
