CVE-2014-4660 — Insufficiently Protected Credentials in Redhat Ansible

CWE-522 — Insufficiently Protected Credentials CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 69.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedFeb 20

Latest updateMay 17

Description

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDredhat/ansible< 1.5.5

▶PyPIredhat/ansible< 1.5.5

▶Debianredhat/ansible< 1.5.5+dfsg-1+3

Patches

Patch: github.com ↗Patch: security-tracker.debian.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

Ansible discloses credential information↗2022-05-17

▶

OSV

Ansible discloses credential information↗2022-05-17

▶

OSV

CVE-2014-4660: Ansible before 1↗2020-02-20

▶

CVEList

CVE-2014-4660: Ansible before 1↗2020-02-20

▶

📋Vendor Advisories

Debian

CVE-2014-4660: ansible - Ansible before 1.5.5 constructs filenames containing user and password fields on...↗2014

▶