Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-16876 |
CWE-ID | CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
ansible (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU16629
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16876
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to the affected software does not honor the no_log flag for failed tasks with vvv+ mode enabled. A remote attacker can send a specially crafted request to a targeted system via a connection plug-in that is designed to trigger connection exceptions, which could cause task information to be logged and access sensitive information, which could be used to conduct further attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsansible (Alpine package): 2.5.5-r0
CPE2.3 External linkshttp://git.alpinelinux.org/aports/commit/?id=64020ed2bf35f3daf3f5d0ea33fa5302a6d4524d
http://git.alpinelinux.org/aports/commit/?id=a8e3303effdf6b6773ed81ae3a234ab0b0273c2e
http://git.alpinelinux.org/aports/commit/?id=fec49fe2125540138443a630698b0e350a4cba3e
http://git.alpinelinux.org/aports/commit/?id=0d403fc427e3c64a510e755977ce67de1873c16a
http://git.alpinelinux.org/aports/commit/?id=654c8976252f508114c2d655af63ee207cc11b00
http://git.alpinelinux.org/aports/commit/?id=bed16c2a8008f2f6bbaee7294911c3cf7792625e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.