{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/oraclelinux6els/vex/2019/cve-2019-14864-els_os-oraclelinux6els.json" } ], "tracking": { "current_release_date": "2026-04-20T13:53:40Z", "generator": { "date": "2026-04-20T13:53:40Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-14864-ELS_OS-ORACLELINUX6ELS", "initial_release_date": "2019-01-01T00:00:00Z", "revision_history": [ { "date": "2019-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-10T19:40:31Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T13:53:40Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2019-14864" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Linux 6", "product": { "name": "Oracle Linux 6", "product_id": "Oracle-Linux-6", "product_identification_helper": { "cpe": "cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Oracle Linux" }, { "branches": [ { "category": "product_version", "name": "ansible-doc-0:2.6.20-1.el6.noarch", "product": { "name": "ansible-doc-0:2.6.20-1.el6.noarch", "product_id": "ansible-doc-0:2.6.20-1.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/oracle/ansible-doc@2.6.20-1.el6?arch=noarch" } } }, { "category": "product_version", "name": "ansible-0:2.6.20-1.el6.noarch", "product": { "name": "ansible-0:2.6.20-1.el6.noarch", "product_id": "ansible-0:2.6.20-1.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/oracle/ansible@2.6.20-1.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Oracle Corporation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch", "product": { "name": "ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch", "product_id": "ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/ansible-doc@2.6.20-1.el6.tuxcare.els1?arch=noarch" } } }, { "category": "product_version", "name": "ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "product": { "name": "ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "product_id": "ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/ansible@2.6.20-1.el6.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch" }, "product_reference": "ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch", "relates_to_product_reference": "Oracle-Linux-6" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.6.20-1.el6.tuxcare.els1.noarch as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:ansible-0:2.6.20-1.el6.tuxcare.els1.noarch" }, "product_reference": "ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "relates_to_product_reference": "Oracle-Linux-6" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.6.20-1.el6.noarch as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.noarch" }, "product_reference": "ansible-doc-0:2.6.20-1.el6.noarch", "relates_to_product_reference": "Oracle-Linux-6" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.6.20-1.el6.noarch as a component of Oracle Linux 6", "product_id": "Oracle-Linux-6:ansible-0:2.6.20-1.el6.noarch" }, "product_reference": "ansible-0:2.6.20-1.el6.noarch", "relates_to_product_reference": "Oracle-Linux-6" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-14864", "cwe": { "id": "CWE-117", "name": "Improper Output Neutralization for Logs" }, "notes": [ { "category": "description", "text": "Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Oracle-Linux-6:ansible-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-14864" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864" }, { "category": "external", "summary": "https://github.com/ansible/ansible/issues/63522", "url": "https://github.com/ansible/ansible/issues/63522" }, { "category": "external", "summary": "https://github.com/ansible/ansible/pull/63527", "url": "https://github.com/ansible/ansible/pull/63527" }, { "category": "external", "summary": "https://www.debian.org/security/2021/dsa-4950", "url": "https://www.debian.org/security/2021/dsa-4950" } ], "release_date": "2020-01-02T15:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This issue only occurs on specific, older Ansible releases (2.9.x < 2.9.1, 2.8.x < 2.8.7, 2.7.x < 2.7.15) and only when the optional Splunk or Sumologic callback plugins are explicitly enabled to export task results; deployments not using those plugins are unaffected. It is a pure logging-path information disclosure (no code execution, no privilege escalation, no availability impact) and requires both the ability to run Ansible tasks and read from the external log collectors to realize any exposure. In centrally managed server/VM environments, this makes the practical risk low and suitable for de-prioritization unless those specific plugins and vulnerable versions are in active use.", "product_ids": [ "Oracle-Linux-6:ansible-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Oracle-Linux-6:ansible-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-0:2.6.20-1.el6.tuxcare.els1.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.noarch", "Oracle-Linux-6:ansible-doc-0:2.6.20-1.el6.tuxcare.els1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }