x/vulndb: potential Go vuln in github.com/ansible/ansible: CVE-2019-14864

[tatianab]

CVE-2019-14864 references github.com/ansible/ansible, which may be a Go module.

Description:
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-14864
• web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
• report: Sumologic callback plugin logging sensitive data ansible/ansible#63522
• fix: removing args from task_fields as it can contain sensitive data ansible/ansible#63527
• web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
• web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
• web: https://www.debian.org/security/2021/dsa-4950
• Imported by: https://pkg.go.dev/github.com/ansible/ansible?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ansible/ansible
      vulnerable_at: 2.15.5+incompatible
      packages:
        - package: Ansible
cves:
    - CVE-2019-14864
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14864
    - report: https://github.com/ansible/ansible/issues/63522
    - fix: https://github.com/ansible/ansible/pull/63527
    - web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
    - web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
    - web: https://www.debian.org/security/2021/dsa-4950

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports