CVE-2018-16859: Information Exposure
(updated )
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for ‘become’ passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password.
References
- www.securityfocus.com/bid/106004
- access.redhat.com/errata/RHSA-2018:3770
- access.redhat.com/errata/RHSA-2018:3771
- access.redhat.com/errata/RHSA-2018:3772
- access.redhat.com/errata/RHSA-2018:3773
- bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16859
- cwe.mitre.org/data/definitions/200.html
- github.com/ansible/ansible/commit/8c1f701e6e9df29fe991f98265e2dd76acca4b8c
- github.com/ansible/ansible/pull/49142
Code Behaviors & Features
Detect and mitigate CVE-2018-16859 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →