CVE-2014-4660
MEDIUM severity · CVSS 5.5 · CWE-522
5.5CVSS MEDIUM
Summary
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)0%
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 ↗
Additional information
- NVD record
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08Patch
- https://security-tracker.debian.org/tracker/CVE-2014-4660Patch
- https://www.openwall.com/lists/oss-security/2014/06/26/19Patch
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
- https://www.securityfocus.com/bid/68231Advisory