Information disclosure in Red Hat Ansible

Published: 2018-12-06 15:09:10
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-16859
CVSSv3 3.9 [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-200
Exploitation vector Local
Public exploit N/A
Vulnerable software Ansible
Vulnerable software versions Ansible 2.7.3
Ansible 2.7.2
Ansible 2.6.9

Show more

Vendor URL Red Hat Inc.

Security Advisory

1) Information disclosure

Description

The vulnerability allows a local attacker with administrative privileges to obtain potentially sensitive information.

The vulnerability exists due to the plaintext exposure of “become” passwords when Ansible playbooks are executed on a Windows system with PowerShell scriptblock logging and module logging. A local attacker can discover the plaintext password that can be used to conduct further attacks.

Remediation

The vulnerability has been fixed in the versions 2.5.13, 2.6.10, 2.7.4.

External links

https://github.com/ansible/ansible/pull/49142

Back to List