A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.

This CVE exists due to an incomplete fix for CVE-2019-10206.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-14856
• https://access.redhat.com/errata/RHSA-2020:0756
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
• ansible/ansible#63351
• ansible/ansible@7f4befd
• ansible/ansible@16684f1
• ansible/ansible@2cbd877
• ansible/ansible@40618d7
• https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-146.yaml