#VU12555 Information disclosure through log files in Red Hat Ansible Engine and Ansible - CVE-2017-7550

Cybersecurity Help s.r.o.

Published: 2018-03-05 | Updated: 2018-05-10

Vulnerability identifier: #VU12555

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7550

CWE-ID: CWE-532

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Red Hat Ansible Engine
Universal components / Libraries / Software for developers
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to improper passing of certain parameters to the jenkins_plugin module. A remote attacker can gain access to potentially sensitive sensitive information from a remote host's logs.

Mitigation
Update to versions 2.3.3 or 2.4.1.

Vulnerable software versions

Red Hat Ansible Engine: 2.4

Ansible: 2.3.0 - 2.3.2

External links
https://github.com/ansible/ansible/issues/30874

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for SUSE Manager Client Tools

SUSE update for Security Beta update for SUSE Manager Client Tools and Salt

SUSE Linux update for ansible

Red Hat update for ansible