Vulnerability Description
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible | < 1.5.5 |
Related Weaknesses (CWE)
References
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.mdRelease Notes
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddcPatch
- https://security-tracker.debian.org/tracker/CVE-2014-4660PatchThird Party Advisory
- https://www.openwall.com/lists/oss-security/2014/06/26/19Mailing ListPatchThird Party Advisory
- https://www.securityfocus.com/bid/68231Third Party AdvisoryVDB Entry
- https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.mdRelease Notes
- https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddcPatch
- https://security-tracker.debian.org/tracker/CVE-2014-4660PatchThird Party Advisory
- https://www.openwall.com/lists/oss-security/2014/06/26/19Mailing ListPatchThird Party Advisory
- https://www.securityfocus.com/bid/68231Third Party AdvisoryVDB Entry
FAQ
What is CVE-2014-4660?
CVE-2014-4660 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opp...
How severe is CVE-2014-4660?
CVE-2014-4660 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-4660?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible.