Vulnerability Details CVE-2018-16837
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.9%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 2.1
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
- http://www.securityfocus.com/bid/105700
- https://access.redhat.com/errata/RHSA-2018:3460
- https://access.redhat.com/errata/RHSA-2018:3461
- https://access.redhat.com/errata/RHSA-2018:3462
- https://access.redhat.com/errata/RHSA-2018:3463
- https://access.redhat.com/errata/RHSA-2018:3505
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837
- https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html
- https://usn.ubuntu.com/4072-1/
- https://www.debian.org/security/2019/dsa-4396
- https://access.redhat.com/security/cve/cve-2018-16837
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
- http://www.securityfocus.com/bid/105700
- https://access.redhat.com/errata/RHSA-2018:3460
- https://access.redhat.com/errata/RHSA-2018:3461
- https://access.redhat.com/errata/RHSA-2018:3462
- https://access.redhat.com/errata/RHSA-2018:3463
- https://access.redhat.com/errata/RHSA-2018:3505
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837
- https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html
- https://usn.ubuntu.com/4072-1/
- https://www.debian.org/security/2019/dsa-4396
Products affected by CVE-2018-16837
-
cpe:2.3:a:redhat:ansible_engine:2.0
-
cpe:2.3:a:redhat:ansible_engine:2.5
-
cpe:2.3:a:redhat:ansible_engine:2.6
-
cpe:2.3:a:redhat:ansible_engine:2.7
-
cpe:2.3:a:redhat:ansible_tower:3.3.0
-
cpe:2.3:a:suse:package_hub:-
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:suse:linux_enterprise:12.0