Your submission was sent successfully! Close

CVE-2014-4660

Published: 20 February 2020

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

From the Ubuntu security team

It was discovered that Ansible created filenames containing sensitive information. An attacker could use this vulnerability to obtain unauthorized access to a private Ubuntu repository.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
ansible
Launchpad, Ubuntu, Debian
Upstream
Released (1.5.5+dfsg-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1.6.5+dfsg-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.6.5+dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.6.5+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.6.5+dfsg-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.6.5+dfsg-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.5.4+dfsg-1ubuntu0.1~esm2)
Patches:
Upstream: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08