CVE-2018-1117Log File Information Exposure in Ovirt-ansible-roles

CWE-532Log File Information Exposure5 documents5 sources
Severity
9.8CRITICALNVD
CNA5.0
EPSS
0.2%
top 57.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ovirt Ovirt-ansible-rolesRedhat Enterprise Virtualization
Timeline
PublishedJun 20
Latest updateMay 13

Description

ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this could lead to privilege escalation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-xghx-gh8p-84h2: ovirt-ansible-roles before version 12022-05-13
CVEList
CVE-2018-1117: ovirt-ansible-roles before version 12018-06-19

📋Vendor Advisories

1
Red Hat
ovirt-ansible-roles: passwords revealed in ansible log when provisioning new provider2018-05-15

💬Community

1
Bugzilla
CVE-2018-1117 ovirt-ansible-roles: passwords revealed in ansible log when provisioning new provider2018-05-04
CVE-2018-1117 — Log File Information Exposure | cvebase