CVE-2018-16859

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type

GIT

Repo

https://github.com/ansible/ansible

Events

Introduced

Fixed

ceae26e5e9b73575a8a397101617b11a5c2ce7d5

Introduced

8ce3bd6deaa0a0274a921c0137cbd804ffc312d0

Fixed

e459665d3bad1603fa6cc52ad412df7871809c37

Introduced

0a07068054090d5b78b27496aa251be74c484b45

Fixed

81879e97925921da225e0fd6010516f765d18d86

Introduced

a771ed93ab09691e53184c809d88a0f1073ef82d

Last affected

2611867fd1dc387ceaa0ffb8ce0f030aafc2a859

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.13"
        },
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "2.6.10"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.4"
        },
        {
            "introduced": "2.7.5"
        },
        {
            "last_affected": "2.8"
        }
    ]
}

Affected versions

0.*

0.0.1

0.01

0.3

0.7

v1.*

v1.0

v1.1

v1.2

v1.4.0

v1.6.0

v2.*

v2.0.0-0.1.alpha1

v2.0.0-0.2.alpha2

v2.0.0-0.3.beta1

v2.0.0-0.4.beta2

v2.0.0-0.5.beta3

v2.5.0

v2.5.0b1

v2.5.0b2

v2.5.0rc1

v2.5.0rc2

v2.5.0rc3

v2.5.1

v2.5.10

v2.5.11

v2.5.12

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v2.6.0a1

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0

v2.7.0.a1

v2.7.1

v2.7.2

v2.7.3

v2.8.0

v2.8.0a1

v2.8.0b1

v2.8.0rc1

v2.8.0rc2

v2.8.0rc3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16859.json"