{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-10-23T00:00:00", "descriptions": [{"lang": "en", "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-214", "description": "CWE-214", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-08-14T08:06:03", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2018:3460", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3460"}, {"name": "105700", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105700"}, {"name": "RHSA-2018:3462", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3462"}, {"name": "RHSA-2018:3505", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3505"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"}, {"name": "RHSA-2018:3463", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3463"}, {"name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"}, {"name": "RHSA-2018:3461", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3461"}, {"name": "DSA-4396", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4396"}, {"name": "openSUSE-SU-2019:1125", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"}, {"name": "openSUSE-SU-2019:1635", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"}, {"name": "USN-4072-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4072-1/"}, {"name": "openSUSE-SU-2019:1858", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-16837", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."}]}, "impact": {"cvss": [[{"vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-214"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:3460", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3460"}, {"name": "105700", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105700"}, {"name": "RHSA-2018:3462", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3462"}, {"name": "RHSA-2018:3505", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3505"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"}, {"name": "RHSA-2018:3463", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3463"}, {"name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"}, {"name": "RHSA-2018:3461", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3461"}, {"name": "DSA-4396", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4396"}, {"name": "openSUSE-SU-2019:1125", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"}, {"name": "openSUSE-SU-2019:1635", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"}, {"name": "USN-4072-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4072-1/"}, {"name": "openSUSE-SU-2019:1858", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:32:54.010Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:3460", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3460"}, {"name": "105700", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105700"}, {"name": "RHSA-2018:3462", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3462"}, {"name": "RHSA-2018:3505", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3505"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"}, {"name": "RHSA-2018:3463", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3463"}, {"name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"}, {"name": "RHSA-2018:3461", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3461"}, {"name": "DSA-4396", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4396"}, {"name": "openSUSE-SU-2019:1125", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"}, {"name": "openSUSE-SU-2019:1635", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"}, {"name": "USN-4072-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4072-1/"}, {"name": "openSUSE-SU-2019:1858", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-16837", "datePublished": "2018-10-23T15:00:00", "dateReserved": "2018-09-11T00:00:00", "dateUpdated": "2024-08-05T10:32:54.010Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "8989CD03-49A1-4831-BF98-9F21592788BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.5:*:*:*:*:*:*:*", "matchCriteriaId": "4C5A40D5-4DF7-43D9-962E-1529D2DF198D", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "13BACD7C-AC7E-4D86-8D9B-ABB614005D0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:2.7:*:*:*:*:*:*:*", "matchCriteriaId": "9B2073BF-90F8-4B22-97C4-7D6D4E852E46", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5817E2DF-3920-4886-A709-C51A70A6B7AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:suse:package_hub:-:*:*:*:*:*:*:*", "matchCriteriaId": "284A8DA0-317B-4BBE-AECB-7E91BBF0DD3B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "CBC8B78D-1131-4F21-919D-8AC79A410FB9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."}, {"lang": "es", "value": "El m\u00f3dulo \"User\" de Ansible filtra cualquier dato que se pasa como par\u00e1metro a ssh-keygen. Esto podr\u00eda desembocar en situaciones no deseadas como el paso de credenciales de frase de contrase\u00f1a como par\u00e1metro para el ejecutable ssh-keygen. Las credenciales se muestran en texto claro a cada usuario con acceso solo a la lista de procesos."}], "id": "CVE-2018-16837", "lastModified": "2024-11-21T03:53:24.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-23T15:29:00.607", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105700"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3460"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3461"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3462"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3463"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3505"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"}, {"source": "secalert@redhat.com", "url": "https://usn.ubuntu.com/4072-1/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4396"}, {"source": "nvd@nist.gov", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/cve-2018-16837"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105700"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3460"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3461"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3462"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3463"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3505"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4072-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4396"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-214"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Markus Teufelberger (mgIT Consulting) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:3461", "cpe": "cpe:/a:redhat:ansible_engine:2.5::el7", "impact": "moderate", "package": "ansible-0:2.5.11-1.el7ae", "product_name": "Red Hat Ansible Engine 2.5 for RHEL 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2018:3460", "cpe": "cpe:/a:redhat:ansible_engine:2.6::el7", "impact": "moderate", "package": "ansible-0:2.6.7-1.el7ae", "product_name": "Red Hat Ansible Engine 2.6 for RHEL 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2018:3463", "cpe": "cpe:/a:redhat:ansible_engine:2.7::el7", "impact": "moderate", "package": "ansible-0:2.7.1-1.el7ae", "product_name": "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2018:3462", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "impact": "moderate", "package": "ansible-0:2.7.1-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "ansible-0:2.6.11-1.el7ae", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-ec2-api-0:6.0.1-0.20181123223255.1e25260.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-manila-1:6.0.2-5.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-selinux-0:0.8.17-2.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "openstack-tempest-1:18.0.0-6.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "os-apply-config-0:8.3.1-0.20180831234255.be699ba.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-barbicanclient-0:4.6.0-2.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-docker-0:2.4.2-2.el7", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-heat-tests-tempest-0:0.1.1-0.20180514163845.9d99219.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-novajoin-0:1.0.22-1.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-openstackclient-0:3.14.3-2.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-openstacksdk-0:0.11.3-2.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "python-vmware-nsxlib-0:12.0.4-3.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0564", "cpe": "cpe:/a:redhat:openstack:13::el7", "package": "rhosp-release-0:13.0.5-1.el7ost", "product_name": "Red Hat OpenStack Platform 13.0 (Queens)", "release_date": "2019-03-14T00:00:00Z"}, {"advisory": "RHSA-2019:0590", "cpe": "cpe:/a:redhat:openstack:14::el7", "package": "ansible-0:2.6.11-1.el7ae", "product_name": "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date": "2019-03-18T00:00:00Z"}], "bugzilla": {"description": "Ansible: Information leak in \"user\" module", "id": "1640642", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1640642"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-214", "details": ["Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.", "The User module in Ansible leaks any data which is passed on as a parameter to ssh-keygen. This could lead to undesirable situations such as passphrase credentials being passed as a parameter for the ssh-keygen executable, showing those credentials in clear text form for every user which have access just to the process list."], "name": "CVE-2018-16837", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2018-10-23T06:46:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-16837\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16837\nhttps://github.com/ansible/ansible/pull/47436"], "statement": "This issue affects the version of ansible as shipped with Red Hat Ceph Storage 3, as it contains the vulnerable code which leaks the data when ssh-keygen is invoked with any arguments.", "threat_severity": "Moderate", "upstream_fix": "ansible-engine 2.7.1, ansible-engine 2.6.7, ansible-engine 2.5.11"}