CVE-2018-16837: Information Exposure
(updated )
The ansible ‘User’ module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
References
- www.securityfocus.com/bid/105700
- github.com/ansible/ansible/blob/stable-2.5/changelogs/CHANGELOG-v2.5.rst
- github.com/ansible/ansible/blob/stable-2.6/changelogs/CHANGELOG-v2.6.rst
- github.com/ansible/ansible/blob/stable-2.7/changelogs/CHANGELOG-v2.7.rst
- github.com/ansible/ansible/commit/a0aa53d1a1d6075a7ae98ace138712ee6cb45ae4
- github.com/ansible/ansible/pull/47436
- nvd.nist.gov/vuln/detail/CVE-2018-16837
Code Behaviors & Features
Detect and mitigate CVE-2018-16837 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →