Information disclosure in ansible (Alpine package)

1) Information disclosure

EUVDB-ID: #VU16629

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16876

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ansible (Alpine package): 2.5.5-r0

CPE2.3

• cpe:2.3:o:alpine:ansible_alpine_package:2.5.5-r0:*:*:*:*:alpine_linux:*:

External links

http://git.alpinelinux.org/aports/commit/?id=64020ed2bf35f3daf3f5d0ea33fa5302a6d4524d
http://git.alpinelinux.org/aports/commit/?id=a8e3303effdf6b6773ed81ae3a234ab0b0273c2e
http://git.alpinelinux.org/aports/commit/?id=fec49fe2125540138443a630698b0e350a4cba3e
http://git.alpinelinux.org/aports/commit/?id=0d403fc427e3c64a510e755977ce67de1873c16a
http://git.alpinelinux.org/aports/commit/?id=654c8976252f508114c2d655af63ee207cc11b00
http://git.alpinelinux.org/aports/commit/?id=bed16c2a8008f2f6bbaee7294911c3cf7792625e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.