CVE-2018-16837

Advisory

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/ansible/ansible/commit/b618339c321c387230d3ea523e80ad47af3de5cf
• https://github.com/ansible/ansible/commit/f50cc0b8cb399bb7b7c1ad23b94c9404f0cc6d23
• https://github.com/ansible/ansible/commit/77928e6c3a2ad878b20312ce5d74d9d7741e0df0
• https://nvd.nist.gov/vuln/detail/CVE-2018-16837
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837
• http://www.securityfocus.com/bid/105700
• https://access.redhat.com/errata/RHSA-2018:3463
• https://access.redhat.com/errata/RHSA-2018:3462
• https://access.redhat.com/errata/RHSA-2018:3461
• https://access.redhat.com/errata/RHSA-2018:3460
• https://access.redhat.com/errata/RHSA-2018:3505
• https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html
• https://access.redhat.com/security/cve/cve-2018-16837
• https://www.debian.org/security/2019/dsa-4396
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
• https://usn.ubuntu.com/4072-1/
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16837