Insufficiently protected credentials in Ansible - CVE-2014-4660
Published: February 20, 2020 / Updated: July 17, 2020
Vulnerability identifier: #VU30358
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-4660
CWE-ID: CWE-522
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ansible
Ansible
Detailed vulnerability description
The vulnerability allows a local authenticated user to gain access to sensitive information.
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
How to mitigate CVE-2014-4660
Install update from vendor's website.
Sources
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
- https://security-tracker.debian.org/tracker/CVE-2014-4660
- https://www.openwall.com/lists/oss-security/2014/06/26/19
- https://www.securityfocus.com/bid/68231