NVD Vulnerability Detail

CVE-2018-16859

Summary	Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Publication Date	Nov. 30, 2018, 3:29 a.m.
Registration Date	March 1, 2021, 7:04 p.m.
Last Update	Nov. 21, 2024, 12:53 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
2	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
3	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
4	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
5	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
6	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
7	http://www.securityfocus.com/bid/106004	Third Party Advisory VDB Entry
8	http://www.securityfocus.com/bid/106004	Third Party Advisory VDB Entry
9	https://access.redhat.com/errata/RHSA-2018:3770	Vendor Advisory
10	https://access.redhat.com/errata/RHSA-2018:3770	Vendor Advisory
11	https://access.redhat.com/errata/RHSA-2018:3771	Vendor Advisory
12	https://access.redhat.com/errata/RHSA-2018:3771	Vendor Advisory
13	https://access.redhat.com/errata/RHSA-2018:3772	Issue Tracking Vendor Advisory
14	https://access.redhat.com/errata/RHSA-2018:3772	Issue Tracking Vendor Advisory
15	https://access.redhat.com/errata/RHSA-2018:3773	Vendor Advisory
16	https://access.redhat.com/errata/RHSA-2018:3773	Vendor Advisory
17	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859	Issue Tracking Vendor Advisory
18	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859	Issue Tracking Vendor Advisory
19	https://github.com/ansible/ansible/pull/49142	Patch Third Party Advisory
20	https://github.com/ansible/ansible/pull/49142	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-532	ログファイルからの情報漏えい	https://cwe.mitre.org/data/definitions/532.html

JVN Vulnerability Information

Ansible Engine におけるログファイルからの情報漏えいに関する脆弱性

Title	Ansible Engine におけるログファイルからの情報漏えいに関する脆弱性
Summary	Ansible Engine には、ログファイルからの情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 4, 2018, midnight
Registration Date	March 14, 2019, 4:02 p.m.
Last Update	March 14, 2019, 4:02 p.m.

Affected System

レッドハット

Red Hat Ansible Engine 2.8 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-16859	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16859
2	CVE-2018-16859	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16859
National Vulnerability Database (NVD)
3	CVE-2018-16859	https://nvd.nist.gov/vuln/detail/CVE-2018-16859
4	CVE-2018-16859	https://nvd.nist.gov/vuln/detail/CVE-2018-16859

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-532	https://cwe.mitre.org/data/definitions/532.html
2	CWE-532	https://cwe.mitre.org/data/definitions/532.html

ベンダー情報

No	Name	URL
GitHub
1	split PS wrapper and payload #49142	https://github.com/ansible/ansible/pull/49142
2	split PS wrapper and payload #49142	https://github.com/ansible/ansible/pull/49142
Red Hat Bugzilla
3	Bug 1649607	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
4	Bug 1649607	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
Red Hat Security Advisory
5	RHSA-2018:3770	https://access.redhat.com/errata/RHSA-2018:3770
6	RHSA-2018:3770	https://access.redhat.com/errata/RHSA-2018:3770
7	RHSA-2018:3771	https://access.redhat.com/errata/RHSA-2018:3771
8	RHSA-2018:3771	https://access.redhat.com/errata/RHSA-2018:3771
9	RHSA-2018:3772	https://access.redhat.com/errata/RHSA-2018:3772
10	RHSA-2018:3772	https://access.redhat.com/errata/RHSA-2018:3772
11	RHSA-2018:3773	https://access.redhat.com/errata/RHSA-2018:3773
12	RHSA-2018:3773	https://access.redhat.com/errata/RHSA-2018:3773

Change Log

No	Changed Details	Date of change
1	[2019年03月14日] 掲載	March 14, 2019, 4:02 p.m.