Main Vulnerability Database Vulnerabilities #VU30356

Insufficiently protected credentials in Ansible - CVE-2014-4659

Published: February 20, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30356

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-4659

CWE-ID: CWE-522

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a local authenticated user to gain access to sensitive information.

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

How to mitigate CVE-2014-4659

Install update from vendor's website.

Sources

https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
https://www.securityfocus.com/bid/68234

Insufficiently protected credentials in Ansible - CVE-2014-4659

Detailed vulnerability description

How to mitigate CVE-2014-4659

Sources

Please verify you're human