CVE-2018-16876

Current Description

ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.

Basic Data

PublishedJanuary 03, 2019
Last ModifiedMay 29, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-200
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score3.5
SeverityLOW
Exploitability Score6.8
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatAnsible********2.5.02.5.14
    2.3ApplicationRedhatAnsible********2.6.02.6.11
    2.3ApplicationRedhatAnsible********2.7.02.7.5
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatAnsible Engine2.0*******
    2.3ApplicationRedhatAnsible Engine2.5*******
    2.3ApplicationRedhatAnsible Engine2.6*******
    2.3ApplicationRedhatAnsible Engine2.7*******
    2.3ApplicationRedhatOpenstack14.0*******
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******
  • AND
    • OR - Configuration 4
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationSusePackage Hub-*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSSuseLinux Enterprise12.0*******
  • OR - Configuration 5
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux19.04*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 9.0
Redhat Openstack 14.0
Redhat Enterprise Linux Workstation 7.0
Redhat Ansible *
Redhat Enterprise Linux Desktop 7.0
Redhat Ansible Engine 2.0, 2.5, 2.6, 2.7
Redhat Enterprise Linux Server 7.0
Canonical Ubuntu Linux 16.04, 18.04, 19.04
Suse Package Hub -

References

NameSourceURLTags
openSUSE-SU-2019:1125http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.htmlSUSEThird Party Advisory
openSUSE-SU-2019:1635http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.htmlSUSEThird Party Advisory
openSUSE-SU-2019:1858http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.htmlSUSEThird Party Advisory
106225http://www.securityfocus.com/bid/106225BIDThird Party Advisory VDB Entry
RHSA-2018:3835https://access.redhat.com/errata/RHSA-2018:3835REDHATVendor Advisory
RHSA-2018:3836https://access.redhat.com/errata/RHSA-2018:3836REDHATVendor Advisory
RHSA-2018:3837https://access.redhat.com/errata/RHSA-2018:3837REDHATVendor Advisory
RHSA-2018:3838https://access.redhat.com/errata/RHSA-2018:3838REDHATVendor Advisory
RHSA-2019:0564https://access.redhat.com/errata/RHSA-2019:0564REDHATVendor Advisory
RHSA-2019:0590https://access.redhat.com/errata/RHSA-2019:0590REDHATVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16876CONFIRMIssue Tracking Patch Vendor Advisory
https://github.com/ansible/ansible/pull/49569https://github.com/ansible/ansible/pull/49569MISCPatch Third Party Advisory
USN-4072-1https://usn.ubuntu.com/4072-1/UBUNTUThird Party Advisory
DSA-4396https://www.debian.org/security/2019/dsa-4396DEBIANThird Party Advisory