CVE-2018-16837Invocation of Process Using Visible Sensitive Information in Redhat Ansible

CWE-214Invocation of Process Using Visible Sensitive InformationCWE-311Missing Encryption of Sensitive Data10 documents8 sources
Severity
7.8HIGHNVD
OSV9.8
EPSS
0.0%
top 87.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Redhat AnsibleDebian LinuxRedhat Ansible Engine+1 more
Timeline
PublishedOct 23
Latest updateMay 13

Description

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

PyPIredhat/ansible2.7.0a12.7.1+2
Debianredhat/ansible< 2.7.1+dfsg-1+3
Ubunturedhat/ansible< 2.0.0.2-2ubuntu1.3+1
NVDredhat/ansible_engine4 versions+3

Also affects: Debian Linux 8.0, 9.0

🔴Vulnerability Details

5
GHSA
Ansible Leaks Data Passed to ssh-keygen2022-05-13
OSV
Ansible Leaks Data Passed to ssh-keygen2022-05-13
OSV
ansible vulnerabilities2019-07-24
OSV
CVE-2018-16837: Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen2018-10-23
CVEList
CVE-2018-16837: Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen2018-10-23

📋Vendor Advisories

3
Ubuntu
Ansible vulnerabilities2019-07-24
Red Hat
Ansible: Information leak in "user" module2018-10-23
Debian
CVE-2018-16837: ansible - Ansible "User" module leaks any data which is passed on as a parameter to ssh-ke...2018

💬Community

1
Bugzilla
CVE-2018-16837 Ansible: Information leak in "user" module2018-10-18