CVE-2018-16837

Published: 23 October 2018

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
ansible
Launchpad, Ubuntu, Debian
Upstream
Released (2.8.0)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.7.5+dfsg-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.7.5+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.5.1+dfsg-1ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.0.0.2-2ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/ansible/ansible/commit/a0aa53d1a1d6075a7ae98ace138712ee6cb45ae4.patch