Skip to main content

Ansible Engine CVE-2018-16837

HIGH
Invocation of Process Using Visible Sensitive Information (CWE-214)
2018-10-23 secalert@redhat.com
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 23, 2018 - 15:29 nvd
HIGH 7.8

DescriptionNVD

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

AnalysisAI

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-214. Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Debian Debian Linux, Suse Package Hub.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-7750 CRITICAL POC
9.8 Mar 13

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x

CVE-2020-14330 MEDIUM POC
5.5 Sep 11

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is

CVE-2020-1753 MEDIUM POC
5.5 Mar 16

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prio

CVE-2020-1737 HIGH
7.8 Mar 09

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function f

CVE-2019-14846 HIGH
7.8 Oct 08

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were l

CVE-2018-10875 HIGH
7.8 Jul 13

A flaw was found in ansible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patc

CVE-2018-10874 HIGH
7.8 Jul 02

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command w

CVE-2021-20228 HIGH
7.5 Apr 29

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the

CVE-2020-1734 HIGH
7.4 Mar 03

A flaw was found in the pipe lookup plugin of ansible. Rated high severity (CVSS 7.4). No vendor patch available.

CVE-2021-3583 HIGH
7.1 Sep 22

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. Rated high severity (CVSS 7.

CVE-2020-14365 HIGH
7.1 Sep 23

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, wh

CVE-2018-10855 MEDIUM
5.9 Jul 03

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. Rated medium sev

Share

CVE-2018-16837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy