GoogleOSV:GHSA-HWRM-63V2-42G4Ansible Leaks Data Passed to ssh-keygen
Ansible “User” module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
References
lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
access.redhat.com/errata/RHSA-2018:3460
access.redhat.com/errata/RHSA-2018:3461
access.redhat.com/errata/RHSA-2018:3462
access.redhat.com/errata/RHSA-2018:3463
access.redhat.com/security/cve/cve-2018-16837
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837
github.com/ansible/ansible
github.com/ansible/ansible/blob/c963ef1dfbf73efea5106624eb48b346f01eaefd/changelogs/CHANGELOG-v2.7.rst?plain=1#L138
github.com/ansible/ansible/pull/47436
github.com/ansible/ansible/pull/47487
lists.debian.org/debian-lts-announce/2018/11/msg00012.html
nvd.nist.gov/vuln/detail/CVE-2018-16837
usn.ubuntu.com/4072-1
web.archive.org/web/20181211081905/www.securityfocus.com/bid/105700
www.debian.org/security/2019/dsa-4396
Related
