Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
References
Link | Resource |
---|---|
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md | Release Notes |
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 | Patch |
https://security-tracker.debian.org/tracker/CVE-2014-4660 | Patch Third Party Advisory |
https://www.openwall.com/lists/oss-security/2014/06/26/19 | Mailing List Patch Third Party Advisory |
https://www.securityfocus.com/bid/68231 | Third Party Advisory VDB Entry |
Configurations
History
No history.
Information
Published : 2020-02-20 03:15
Updated : 2024-02-28 17:28
NVD link : CVE-2014-4660
Mitre link : CVE-2014-4660
CVE.ORG link : CVE-2014-4660
JSON object : View
Products Affected
redhat
- ansible
CWE
CWE-522
Insufficiently Protected Credentials