Ansible Logs Passwords If PowerShell ScriptBlock is Enabled

🗓️ 14 May 2022 01:14:00Reported by GitHub Advisory DatabaseType

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable

Reporter	Title	Published	Views	Family All 69
ATTACKERKB	CVE-2018-16859	29 Nov 201818:29	–	attackerkb
AlpineLinux	CVE-2018-16859	29 Nov 201817:00	–	alpinelinux
CNVD	Ansible Playbooks Information Disclosure Vulnerability	27 Nov 201800:00	–	cnvd
CVE	CVE-2018-16859	29 Nov 201817:00	–	cve
Cvelist	CVE-2018-16859	29 Nov 201817:00	–	cvelist
Debian CVE	CVE-2018-16859	29 Nov 201817:00	–	debiancve
EUVD	EUVD-2018-0019	7 Oct 202500:30	–	euvd
NVD	CVE-2018-16859	29 Nov 201818:29	–	nvd
Tenable Nessus	openSUSE Security Update : ansible (openSUSE-2019-1125)	3 Apr 201900:00	–	nessus
Tenable Nessus	openSUSE Security Update : ansible (openSUSE-2019-1635)	28 Jun 201900:00	–	nessus

Vulners

Node

ansible ansibleRange2.6.0a1–2.6.9pip

ansible ansibleRange0–2.5.12pip

ansible ansibleRange2.7.0a1–2.7.3pip

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2018-16859
github	www.github.com/ansible/ansible/pull/49142
access	www.access.redhat.com/errata/RHSA-2018:3770
access	www.access.redhat.com/errata/RHSA-2018:3771
access	www.access.redhat.com/errata/RHSA-2018:3772
access	www.access.redhat.com/errata/RHSA-2018:3773
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
lists	www.lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
lists	www.lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
lists	www.lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html

04 Sep 2024 19:38Current

4.9Medium risk

Vulners AI Score4.9

CVSS 22.1

CVSS 34.2 - 4.4

EPSS0.00091

CWE-532