PT-2020-7684 · Ansible+1 · Ansible+2

Published

2014-04-22

Updated

2022-05-17

CVE-2014-4660

CVSS v4.0

6.8

Medium

Vector

AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Ansible versions prior to 1.5.5

Description The issue allows local users to potentially obtain sensitive credential information in certain circumstances. This is possible when a file exists that uses the "deb http://user:pass@server:port/" format in sources.list. The problem arises from how filenames are constructed based on deb lines in sources.list, which might include user and password fields.

Recommendations For Ansible versions prior to 1.5.5, update to version 1.5.5 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files that contain credential information in the sources.list format. Avoid using the deb http://user:pass@server:port/ format in sources.list until the issue is resolved.

Fix

Information Disclosure

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-522

Related Identifiers

ALT-PU-2014-1523

CVE-2014-4660

GHSA-5XM4-JMPW-P6J3

PYSEC-2020-202

Affected Products

Alt Linux

Ansible

Ansible-Core

PT-2020-7684 · Ansible+1 · Ansible+2

CVE-2014-4660

Weakness Enumeration

Related Identifiers

Affected Products

References · 16