Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-16837 |
CWE-ID | CWE-200 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
ansible (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU15721
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16837
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to Ansible "User" module exposes data passed as parameter to ssh-keygen. A local user with ability to view process list can obtain sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsansible (Alpine package): 2.5.5-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=64020ed2bf35f3daf3f5d0ea33fa5302a6d4524d
http://git.alpinelinux.org/aports/commit/?id=a8e3303effdf6b6773ed81ae3a234ab0b0273c2e
http://git.alpinelinux.org/aports/commit/?id=fec49fe2125540138443a630698b0e350a4cba3e
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.