CVE-2014-4660
MEDIUMAnsible < 1.5.5 - Insufficiently Protected Credentials via sources.list deb Line Parsing
Title source: llmDescription
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
References (5)
Core 5
Core References
Release Notes x_refsource_misc
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
Third Party Advisory, VDB Entry x_refsource_misc
https://www.securityfocus.com/bid/68231
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2014/06/26/19
Patch, Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2014-4660
Patch x_refsource_misc
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
Scores
CVSS v3
5.5
EPSS
0.0038
EPSS Percentile
29.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-522
Status
published
Products (2)
pypi/ansible
0 - 1.5.5PyPI
redhat/ansible
< 1.5.5
Published
Feb 20, 2020
Tracked Since
Feb 18, 2026