CVE-2014-4658 — Sensitive Information Exposure in Redhat Ansible

CWE-200 — Sensitive Information Exposure10 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 69.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedFeb 20

Latest updateMay 17

Description

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/ansible< 1.5.5

▶PyPIredhat/ansible< 1.5.5

▶Debianredhat/ansible< 1.5.5+dfsg-1+3

🔴Vulnerability Details

GHSA

Ansible Sensitive Files Are Locally Readable↗2022-05-17

▶

OSV

Ansible Sensitive Files Are Locally Readable↗2022-05-17

▶

OSV

CVE-2014-4658: The vault subsystem in Ansible before 1↗2020-02-20

▶

CVEList

CVE-2014-4658: The vault subsystem in Ansible before 1↗2020-02-20

▶

📋Vendor Advisories

Red Hat

ansible: incorrect umask mode before creating/editing vault subsystem allows allows exposure of sensitive key information↗2014-04-18

▶

Debian

CVE-2014-4658: ansible - The vault subsystem in Ansible before 1.5.5 does not set the umask before creati...↗2014

▶

💬Community

Bugzilla

CVE-2014-4658 ansible: incorrect umask mode before creating/editing vault subsystem allows allows exposure of sensitive key information [fedora-all]↗2020-05-04

▶

Bugzilla

CVE-2014-4658 ansible: incorrect umask mode before creating/editing vault subsystem allows allows exposure of sensitive key information [epel-all]↗2020-05-04

▶

Bugzilla

CVE-2014-4658 ansible: incorrect umask mode before creating/editing vault subsystem allows allows exposure of sensitive key information↗2020-05-04

▶