Vulnerability identifier: #VU16629
Vulnerability risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ansible
Server applications /
Remote management servers, RDP, SSH
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.
Mitigation
The vulnerability has been fixed in the versions 2.5.14, 2.6.11, and 2.7.5.
Vulnerable software versions
Ansible: 2.5.0 - 2.5.13, 2.6.0 - 2.6.10, 2.7.0 - 2.7.4
External links
http://access.redhat.com/security/cve/cve-2018-16876
http://github.com/ansible/ansible/pull/49569
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.