GitHub Advisory DatabaseGHSA-5XM4-JMPW-P6J3Ansible discloses credential information
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the deb http://user:pass@server:port/ format.
Affected configurations
References
github.com/advisories/GHSA-5xm4-jmpw-p6j3
github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
nvd.nist.gov/vuln/detail/CVE-2014-4660
security-tracker.debian.org/tracker/CVE-2014-4660
web.archive.org/web/20200229060002/https://www.securityfocus.com/bid/68231
www.openwall.com/lists/oss-security/2014/06/26/19
Related
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%