Description
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
References (10)
Core 10
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/pull/49142
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3770
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3771
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106004
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3773
Issue Tracking, Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3772
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
Scores
CVSS v3
4.2
EPSS
0.0010
EPSS Percentile
26.2%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (2)
pypi/ansible
2.7.0a1 - 2.7.3PyPI
redhat/ansible_engine
< 2.5.13
Published
Nov 29, 2018
Tracked Since
Feb 18, 2026