CVE-2014-4660

EPSS 0.12%
Veröffentlicht 20.02.2020 03:15:10
Zuletzt bearbeitet 21.11.2024 02:10:39
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Redhat ≫ Ansible Version < 1.5.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.275

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:L/AC:L/Au:N/C:P/I:N/A:N

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md

Release Notes

https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08

Patch

https://security-tracker.debian.org/tracker/CVE-2014-4660

Patch

Third Party Advisory

https://www.openwall.com/lists/oss-security/2014/06/26/19

Patch

Third Party Advisory

Mailing List

https://www.securityfocus.com/bid/68231