Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NzM1LTJwcDYtaDg2cs4AATtv
Ansible Logs Passwords If PowerShell ScriptBlock is Enabled
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Permalink: https://github.com/advisories/GHSA-v735-2pp6-h86rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NzM1LTJwcDYtaDg2cs4AATtv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 13 days ago
CVSS Score: 4.4
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-v735-2pp6-h86r, CVE-2018-16859
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16859
- https://github.com/ansible/ansible/pull/49142
- https://access.redhat.com/errata/RHSA-2018:3770
- https://access.redhat.com/errata/RHSA-2018:3771
- https://access.redhat.com/errata/RHSA-2018:3772
- https://access.redhat.com/errata/RHSA-2018:3773
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
- https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
- https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004
- https://github.com/advisories/GHSA-v735-2pp6-h86r
Blast Radius: 18.3
Affected Packages
pypi:ansible
Dependent packages: 101Dependent repositories: 14,706
Downloads: 5,315,152 last month
Affected Version Ranges: <= 2.8
No known fixed version
All affected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.7.1, 1.7.2, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 2.0.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.8.19, 2.8.20