CVE-2018-16859
MEDIUM
4,2
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: high
User Interaction: required
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
LOW
2,1
Source: [email protected]
Access Vector: local
Access Complexity: low
Authentication: none
Confidentiality: partial
Integrity: none
Availability: none
Description
AI Translation Available
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0010
Percentile
0,3th
Updated
EPSS Score Trend (Last 90 Days)
532
Insertion of Sensitive Information into Log File
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
All platforms may be affected
Application
Ansible Engine by Redhat
Version Range Affected
From
2.7.0
(inclusive)
To
2.7.4
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Ansible Engine by Redhat
Version Range Affected
From
2.6.0
(inclusive)
To
2.6.10
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Ansible Engine by Redhat
Version Range Affected
From
2.7.5
(inclusive)
To
2.8
(inclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Ansible Engine by Redhat
Version Range Affected
To
2.5.13
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
https://access.redhat.com/errata/RHSA-2018:3770
https://access.redhat.com/errata/RHSA-2018:3771
https://access.redhat.com/errata/RHSA-2018:3772
https://access.redhat.com/errata/RHSA-2018:3773
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
https://github.com/ansible/ansible/pull/49142
http://www.securityfocus.com/bid/106004
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
https://access.redhat.com/errata/RHSA-2018:3770
https://access.redhat.com/errata/RHSA-2018:3771
https://access.redhat.com/errata/RHSA-2018:3772
https://access.redhat.com/errata/RHSA-2018:3773
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
https://github.com/ansible/ansible/pull/49142
http://www.securityfocus.com/bid/106004