CVE-2018-16837

Опубликовано: 23 окт. 2018

Источник: nvd

CVSS3: 7.8

CVSS2: 2.1

EPSS Низкий

Описание

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
http://www.securityfocus.com/bid/105700
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:3460
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3461
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3462
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3463
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3505
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837
Issue Tracking
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html
Mailing List
Third Party Advisory
https://usn.ubuntu.com/4072-1/
https://www.debian.org/security/2019/dsa-4396
Third Party Advisory
https://access.redhat.com/security/cve/cve-2018-16837
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
http://www.securityfocus.com/bid/105700
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:3460
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3461
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:ansible_engine:2.5:*:*:*:*:*:*:*

cpe:2.3:a:redhat:ansible_engine:2.6:*:*:*:*:*:*:*

cpe:2.3:a:redhat:ansible_engine:2.7:*:*:*:*:*:*:*

cpe:2.3:a:redhat:ansible_tower:3.3.0:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Конфигурация 3

Одновременно

cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*

EPSS

Процентиль: 12%

0.0004

Низкий

7.8 High

CVSS3

7.8 High

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-214

CWE-311

Связанные уязвимости

CVE-2018-16837

CVSS3: 7.8

ubuntu

больше 7 лет назад

CVE-2018-16837

CVSS3: 7.8

redhat

больше 7 лет назад

CVE-2018-16837

CVSS3: 7.8

debian

больше 7 лет назад

Ansible "User" module leaks any data which is passed on as a parameter ...

GHSA-hwrm-63v2-42g4

CVSS3: 7.8

github

больше 3 лет назад

Ansible Leaks Data Passed to ssh-keygen

BDU:2019-00888

CVSS3: 7.8

fstec

больше 7 лет назад

Уязвимость модуля «User» системы управления конфигурациями Ansible, связанная с раскрытием данных, передаваемых в качестве параметров утилите ssh-keygen, позволяющая нарушителю получить несанкционированный доступ к конфиденциальной информации пользователя

EPSS

Процентиль: 12%

0.0004

Низкий

7.8 High

CVSS3

7.8 High

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-214

CWE-311