CVE-2018-16859 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=2.7.0a1 <2.7.3 || >=0 <2.5.12 || >=2.6.0a1 <2.6.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00101 pctl0.28543

Details

Ansible Logs Passwords If PowerShell ScriptBlock is Enabled Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.

Metadata

Created: 2022-05-14T01:14:00Z
Modified: 2024-09-04T19:38:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v735-2pp6-h86r/GHSA-v735-2pp6-h86r.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-v735-2pp6-h86r
Finding: F005
Auto approve: 1