4.4
CVE-2018-16859
- EPSS 0.54%
- Veröffentlicht 29.11.2018 18:29:00
- Zuletzt bearbeitet 21.11.2024 03:53:27
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Ansible Engine Version < 2.5.13
Redhat ≫ Ansible Engine Version >= 2.6.0 < 2.6.10
Redhat ≫ Ansible Engine Version >= 2.7.0 < 2.7.4
Redhat ≫ Ansible Engine Version >= 2.7.5 <= 2.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.54% | 0.408 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.4 | 0.8 | 3.6 |
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 2.1 | 3.9 | 2.9 |
AV:L/AC:L/Au:N/C:P/I:N/A:N
|
| secalert@redhat.com | 4.2 | 0.6 | 3.6 |
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
|
CWE-532 Insertion of Sensitive Information into Log File
The product writes sensitive information to a log file.
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
http://www.securityfocus.com/bid/106004
https://access.redhat.com/errata/RHSA-2018:3770
https://access.redhat.com/errata/RHSA-2018:3771
https://access.redhat.com/errata/RHSA-2018:3772
https://access.redhat.com/errata/RHSA-2018:3773
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
https://github.com/ansible/ansible/pull/49142