CVE-2014-4660

Sažetak

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

Reference

https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
https://security-tracker.debian.org/tracker/CVE-2014-4660
https://www.openwall.com/lists/oss-security/2014/06/26/19
https://www.securityfocus.com/bid/68231

CVSS

Base:	2.1
Impact:	2.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:L/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

25-02-2020 - 20:13

Objavljeno

20-02-2020 - 03:15