Описание
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
The User module in Ansible leaks any data which is passed on as a parameter to ssh-keygen. This could lead to undesirable situations such as passphrase credentials being passed as a parameter for the ssh-keygen executable, showing those credentials in clear text form for every user which have access just to the process list.
Отчет
This issue affects the version of ansible as shipped with Red Hat Ceph Storage 3, as it contains the vulnerable code which leaks the data when ssh-keygen is invoked with any arguments.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | ansible | Out of support scope | ||
| Red Hat Ceph Storage 3 | ansible | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Will not fix | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.5 for RHEL 7 | ansible | Fixed | RHSA-2018:3461 | 05.11.2018 |
| Red Hat Ansible Engine 2.6 for RHEL 7 | ansible | Fixed | RHSA-2018:3460 | 05.11.2018 |
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2018:3463 | 05.11.2018 |
| Red Hat Ansible Engine 2 for RHEL 7 | ansible | Fixed | RHSA-2018:3462 | 05.11.2018 |
| Red Hat OpenStack Platform 13.0 (Queens) | ansible | Fixed | RHSA-2019:0564 | 14.03.2019 |
| Red Hat OpenStack Platform 13.0 (Queens) | openstack-ec2-api | Fixed | RHSA-2019:0564 | 14.03.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Ansible "User" module leaks any data which is passed on as a parameter ...
Уязвимость модуля «User» системы управления конфигурациями Ansible, связанная с раскрытием данных, передаваемых в качестве параметров утилите ssh-keygen, позволяющая нарушителю получить несанкционированный доступ к конфиденциальной информации пользователя
EPSS
7.8 High
CVSS3