GHSA-5xm4-jmpw-p6j3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5xm4-jmpw-p6j3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5xm4-jmpw-p6j3/GHSA-5xm4-jmpw-p6j3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-5xm4-jmpw-p6j3
- Aliases
- Published
- 2022-05-17T19:57:32Z
- Modified
- 2024-09-10T22:33:52.731836Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Ansible discloses credential information
- Details
-
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in
sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses thedeb http://user:pass@server:port/format. - Database specific
{ "nvd_published_at": "2020-02-20T03:15:00Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-08-16T21:59:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-4660
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-202.yaml
- https://security-tracker.debian.org/tracker/CVE-2014-4660
- https://web.archive.org/web/20200229060002/https://www.securityfocus.com/bid/68231
- https://www.openwall.com/lists/oss-security/2014/06/26/19
Affected packages
PyPI / ansible
Package
- Name
- ansible
- View open source insights on deps.dev
- Purl
- pkg:pypi/ansible