CVE-2018-16876 – ansible: Information disclosure in vvv+ mode with no_log on
https://notcve.org/view.php?id=CVE-2018-16876
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. ansible en versiones anteriores a las 2.5.14, 2.6.11 y 2.7.5 es vulnerable a un fallo de divulgación de información en el modo vvv+ con "no_log" habilitado, el cual podría provocar el filtrado de datos sensibles. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/106225 https://access.redhat.com/errata/RHSA-2018:3835 https://access.redhat.com/errata/RHSA-2018:3836 https://access.redhat.com/errata/RHSA-2018:3837 https://access.redhat.com/errata/RHSA-2018:3838 https://access.redhat.com/errata& • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2018-16859 – ansible: become password logged in plaintext when used with PowerShell on Windows
https://notcve.org/view.php?id=CVE-2018-16859
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable. Ejecucion de playbooks Ansible en plataformas Windows con PowerShell ScriptBlock logging y Module logging activados puede permitir que aparezcan contraseñas "become" en EventLogs en texto plano. Un usuario local con privilegios de administrador en la máquina puede visualizar estos registros y descubrir la contraseña en texto plano. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/106004 https://access.redhat.com/errata/RHSA-2018:3770 https://access.redhat.com/errata/RHSA-2018:3771 https://access.redhat.com/errata/RHSA-2018:3772 https://access.redhat.com/errata/RHSA-2018:3773 https://bugzilla.redhat.com/show& • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-16837 – Ansible: Information leak in "user" module
https://notcve.org/view.php?id=CVE-2018-16837
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list. El módulo "User" de Ansible filtra cualquier dato que se pasa como parámetro a ssh-keygen. Esto podría desembocar en situaciones no deseadas como el paso de credenciales de frase de contraseña como parámetro para el ejecutable ssh-keygen. • http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html http://www.securityfocus.com/bid/105700 https://access.redhat.com/errata/RHSA-2018:3460 https://access.redhat.com/errata/RHSA-2018:3461 https://access.redhat.com/errata/RHSA-2018:3462 https://access.redhat.com/errata/RHSA-2018:3463 https://access.redhat.com/errata& • CWE-214: Invocation of Process Using Visible Sensitive Information CWE-311: Missing Encryption of Sensitive Data •