CVE Vulnerabilities

CVE-2018-16859

Insertion of Sensitive Information into Log File

Published: Nov 29, 2018 | Modified: Nov 21, 2024
CVSS 3.x
4.4
MEDIUM
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
4.2 MODERATE
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Ubuntu

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for become passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.

Weakness

The product writes sensitive information to a log file.

Affected Software

Name Vendor Start Version End Version
Ansible_engine Redhat * 2.5.13 (excluding)
Ansible_engine Redhat 2.6.0 (including) 2.6.10 (excluding)
Ansible_engine Redhat 2.7.0 (including) 2.7.4 (excluding)
Ansible_engine Redhat 2.7.5 (including) 2.8 (including)
Red Hat Ansible Engine 2.5 for RHEL 7 RedHat ansible-0:2.5.13-1.el7ae *
Red Hat Ansible Engine 2.6 for RHEL 7 RedHat ansible-0:2.6.10-1.el7ae *
Red Hat Ansible Engine 2.7 for RHEL 7 RedHat ansible-0:2.7.4-1.el7ae *
Red Hat Ansible Engine 2 for RHEL 7 RedHat ansible-0:2.7.4-1.el7ae *

Potential Mitigations

References