ALT-PU-2014-1523-2

CVE-2014-4658

MEDIUM5.5

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

Опубликовано: 2020-02-20Изменено: 2024-11-21

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

CVE-2014-4659

MEDIUM5.5

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

Опубликовано: 2020-02-20Изменено: 2024-11-21

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

CVE-2014-4660

MEDIUM5.5

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

Опубликовано: 2020-02-20Изменено: 2024-11-21

CVSS 2.0НИЗКАЯ 2.1

CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS 3.xСРЕДНЯЯ 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ссылки

GHSA-5g4v-2pc6-4hh4

MEDIUM6.8

Ansible Sensitive Files Are Locally Readable

Опубликовано: 2022-05-17Изменено: 2024-09-05

CVSS 3.xСРЕДНЯЯ 6.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0СРЕДНЯЯ 6.8

CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Ссылки

GHSA-5xm4-jmpw-p6j3

MEDIUM6.8

Ansible discloses credential information

Опубликовано: 2022-05-17Изменено: 2024-09-11

CVSS 3.xСРЕДНЯЯ 6.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0СРЕДНЯЯ 6.8

CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Ссылки

GHSA-6667-f46p-pg88

MEDIUM6.8

Ansible sets unsafe permissions for sources.list

Опубликовано: 2022-05-17Изменено: 2024-09-11

CVSS 3.xСРЕДНЯЯ 6.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0СРЕДНЯЯ 6.8

CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Ссылки

Обновление пакета ansible в ветке sisyphus

Закрытые проблемы (6)

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

Ansible Sensitive Files Are Locally Readable

Ansible discloses credential information

Ansible sets unsafe permissions for sources.list