CVE-2018-16837

HIGH

Ansible - Info Disclosure

Title source: llm

Description

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

References (14)

[Vendor Advisory] https://access.redhat.com/security/cve/cve-2018-16837

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:3460

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/105700

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:3462

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:3505

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:3463

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:3461

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4396

[Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html

[Vendor Advisory] https://usn.ubuntu.com/4072-1/

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html

Scores

CVSS v3 7.8

EPSS 0.0005

EPSS Percentile 14.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-214 CWE-311

Status published

Products (9)

debian/debian_linux 8.0

debian/debian_linux 9.0

pypi/ansible 2.7.0a1 - 2.7.1PyPI

redhat/ansible_engine 2.0

redhat/ansible_engine 2.5

redhat/ansible_engine 2.6

redhat/ansible_engine 2.7

redhat/ansible_tower 3.3.0

suse/package_hub

Published Oct 23, 2018

Tracked Since Feb 18, 2026