PT-2018-2517 · Red Hat+2 · Ansible+2

Borja Tarraso

+1

·

Published

2018-10-18

·

Updated

2026-06-03

·

CVE-2018-16837

CVSS v4.0

8.5

High

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Ansible (affected versions not specified)
Description The issue is related to the Ansible "User" module, which leaks data passed as parameters to ssh-keygen. This could lead to undesirable situations where sensitive information, such as passphrases or credentials, is exposed in clear text to users with access to the process list. An attacker could exploit this to gain unauthorized access to confidential user information by accessing the process list.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Missing Encryption of Sensitive Data

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-311CWE-214CWE-200

Related Identifiers

BDU:2019-00888
CVE-2018-16837
DLA-1576-1
DSA-4396-1
GHSA-HWRM-63V2-42G4
OPENSUSE-SU-2019:1125-1
OPENSUSE-SU-2019:1635-1
OPENSUSE-SU-2019:1858-1
OPENSUSE-SU-2019_1635-1
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
OPENSUSE-SU-2026:10944-1
PYSEC-2018-44
RHSA-2018:3460
RHSA-2018:3461
RHSA-2018:3462
RHSA-2018:3463
RHSA-2019:0564
RHSA-2019:0590
SUSE-SU-2020:3309-1
USN-4072-1

Affected Products

Ansible
Suse
Ubuntu