Search for vulnerabilities
Vulnerability details: VCID-4htg-c38r-2fh4
Vulnerability ID VCID-4htg-c38r-2fh4
Aliases CVE-2019-14846
GHSA-pm48-cvv2-29q5
PYSEC-2019-4
Summary In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-117 Improper Output Neutralization for Logs
CWE-532 Insertion of Sensitive Information into Log File
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 7.8 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
cvssv3.1 7.8 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
generic_textual HIGH http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2019:3201
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:3201
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2019:3202
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:3202
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2019:3203
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:3203
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2019:3207
generic_textual HIGH https://access.redhat.com/errata/RHSA-2019:3207
cvssv3.1 7.8 https://access.redhat.com/errata/RHSA-2020:0756
generic_textual HIGH https://access.redhat.com/errata/RHSA-2020:0756
cvssv3 7.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14846.json
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00086 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00141 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
epss 0.00153 https://api.first.org/data/v1/epss?cve=CVE-2019-14846
cvssv3.1 7.8 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
cvssv3 2.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-pm48-cvv2-29q5
cvssv3.1 7.8 https://github.com/ansible/ansible
generic_textual HIGH https://github.com/ansible/ansible
cvssv3.1 7.8 https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4
generic_textual HIGH https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4
cvssv3.1 7.8 https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034
generic_textual HIGH https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034
cvssv3.1 7.8 https://github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515b
generic_textual HIGH https://github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515b
cvssv3.1 7.8 https://github.com/ansible/ansible/pull/63366
generic_textual HIGH https://github.com/ansible/ansible/pull/63366
cvssv3.1 7.8 https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml
cvssv3.1 7.8 https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
cvssv3.1 7.8 https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
cvssv2 2.1 https://nvd.nist.gov/vuln/detail/CVE-2019-14846
cvssv3.1 7.8 https://nvd.nist.gov/vuln/detail/CVE-2019-14846
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2019-14846
cvssv3.1 7.8 https://www.debian.org/security/2021/dsa-4950
generic_textual HIGH https://www.debian.org/security/2021/dsa-4950
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
https://access.redhat.com/errata/RHSA-2019:3201
https://access.redhat.com/errata/RHSA-2019:3202
https://access.redhat.com/errata/RHSA-2019:3203
https://access.redhat.com/errata/RHSA-2019:3207
https://access.redhat.com/errata/RHSA-2020:0756
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14846.json
https://api.first.org/data/v1/epss?cve=CVE-2019-14846
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4
https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034
https://github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515b
https://github.com/ansible/ansible/pull/63366
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
https://nvd.nist.gov/vuln/detail/CVE-2019-14846
https://www.debian.org/security/2021/dsa-4950
1755373 https://bugzilla.redhat.com/show_bug.cgi?id=1755373
942188 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942188
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
GHSA-pm48-cvv2-29q5 https://github.com/advisories/GHSA-pm48-cvv2-29q5
USN-7330-1 https://usn.ubuntu.com/7330-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:3201
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:3202
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:3203
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:3207
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2020:0756
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14846.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ansible/ansible
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ansible/ansible/commit/cb0f535a8b254a2daf69cd067e842fabb2993034
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ansible/ansible/commit/d961f676c01023a6a21503df16ba551a550e515b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/ansible/ansible/pull/63366
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-4.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-14846
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-14846
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2021/dsa-4950
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.25887
EPSS Score 0.00086
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:07:52.560348+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2019-4.yaml 37.0.0