redhat ansible-engine CVE-2018-16837 in Red Hat and Debian Products
Published on October 23, 2018

product logo product logo
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Weakness Type

Invocation of Process Using Visible Sensitive Information

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.


Products Associated with CVE-2018-16837

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2018-16837 are published in these products:

Red Hat Ansible Engine
 
Red Hat Ansible Tower
 
Debian Linux
 

Affected Versions

[UNKNOWN] Ansible Version n/a is affected by CVE-2018-16837

Exploit Probability

EPSS
0.04%
Percentile
12.06%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.