Vulnerability Details : CVE-2014-4660
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.
Products affected by CVE-2014-4660
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-4660
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4660
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2014-4660
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4660
-
https://security-tracker.debian.org/tracker/CVE-2014-4660
CVE-2014-4660Patch;Third Party Advisory
-
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
Backporting apt_repository module from devel · ansible/ansible@c4b5e46 · GitHubPatch
-
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
ansible/CHANGELOG.md at release1.5.5 · ansible/ansible · GitHubRelease Notes
-
https://www.securityfocus.com/bid/68231
ansible CVE-2014-4660 Remote Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://www.openwall.com/lists/oss-security/2014/06/26/19
oss-security - Re: Ansible CVE requestsMailing List;Patch;Third Party Advisory
Jump to