CVE-2018-16859

Name
CVE-2018-16859
Description
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/ansible/ansible/pull/49142
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
Third Party Advisory http://www.securityfocus.com/bid/106004
Vendor Advisory https://access.redhat.com/errata/RHSA-2018:3773
Issue Tracking https://access.redhat.com/errata/RHSA-2018:3772
Vendor Advisory https://access.redhat.com/errata/RHSA-2018:3771
Vendor Advisory https://access.redhat.com/errata/RHSA-2018:3770
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* ansible_engine >= 2.7.0 < 2.7.4
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* ansible_engine >= 2.7.5 <= 2.8
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* ansible_engine >= None < 2.5.13
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* ansible_engine >= 2.6.0 < 2.6.10

Vulnerable and fixed packages

Source package Branch Version Maintainer Status