#VU16629 Information disclosure in Ansible - CVE-2018-16876
Published: December 19, 2018 / Updated: December 20, 2018
Vulnerability identifier: #VU16629
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-16876
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Ansible
Ansible
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.
Remediation
The vulnerability has been fixed in the versions 2.5.14, 2.6.11, and 2.7.5.