Vulnerability identifier: #VU16629

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16876

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.

Mitigation
The vulnerability has been fixed in the versions 2.5.14, 2.6.11, and 2.7.5.

Vulnerable software versions

Ansible: 2.5.0 - 2.5.13, 2.6.0 - 2.6.10, 2.7.0 - 2.7.4

---

External links
http://access.redhat.com/security/cve/cve-2018-16876
http://github.com/ansible/ansible/pull/49569

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.