Alpine: multiple ansible packages: security update to 2.7.14-r0

high Tenable Cloud Security Plugin ID 403499

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine
2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a
library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those
are executed in a separate process. (CVE-2019-14846)

- ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None (CVE-2019-14856)

- A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module
has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module
will cause the task to fail before the no_log options in the sub parameters are processed. As a result,
data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased
verbosity and present in the module invocation arguments for the task. (CVE-2019-14858)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-14846

https://security.alpinelinux.org/vuln/CVE-2019-14856

https://security.alpinelinux.org/vuln/CVE-2019-14858

Plugin Details

Severity: High

ID: 403499

Version: Revision 1.23

Type: Local

Published: 10/31/2023

Updated: 3/12/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2019-14856

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-14846

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/8/2019

Reference Information

CVE: CVE-2019-14846, CVE-2019-14856, CVE-2019-14858