CVE-2014-4659Insufficiently Protected Credentials in Redhat Ansible

CWE-522Insufficiently Protected CredentialsCWE-732Incorrect Permission AssignmentCWE-200Sensitive Information Exposure10 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 76.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible
Timeline
PublishedFeb 20
Latest updateMay 17

Description

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

NVDredhat/ansible< 1.5.5
PyPIredhat/ansible< 1.5.5
Debianredhat/ansible< 1.5.5+dfsg-1+3

🔴Vulnerability Details

4
GHSA
Ansible sets unsafe permissions for sources.list2022-05-17
OSV
Ansible sets unsafe permissions for sources.list2022-05-17
OSV
CVE-2014-4659: Ansible before 12020-02-20
CVEList
CVE-2014-4659: Ansible before 12020-02-20

📋Vendor Advisories

2
Red Hat
ansible: information disclosure through incorrect file permission2014-06-26
Debian
CVE-2014-4659: ansible - Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow l...2014

💬Community

3
Bugzilla
CVE-2014-4659 ansible: information disclosure through incorrect file permission [epel-all]2020-05-04
Bugzilla
CVE-2014-4659 ansible: information disclosure through incorrect file permission [fedora-all]2020-05-04
Bugzilla
CVE-2014-4659 ansible: information disclosure through incorrect file permission2020-05-04
CVE-2014-4659 — Insufficiently Protected Credentials | cvebase