Information disclosure in Ansible - CVE-2018-16876
Published: December 19, 2018 / Updated: December 20, 2018
Vulnerability identifier: #VU16629
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-16876
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ansible
Ansible
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.
How to mitigate CVE-2018-16876
The vulnerability has been fixed in the versions 2.5.14, 2.6.11, and 2.7.5.