Vulnerability CVE-2014-4660

Vulnerability Name:

CVE-2014-4660 (CCN-94096)

Assigned:

2014-06-26

Published:

2014-06-26

Updated:

2020-02-25

Summary:

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-522

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-4660

Source: CCN
Type: oss-security Mailing List, Thu 26 Jun 2014
Re: Ansible CVE requests

Source: CCN
Type: BID-68231
ansible CVE-2014-4660 Remote Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
ansible-cve20144660-info-disc(94096)

Source: CCN
Type: Ansible Web Site
Ansible Project

Source: MISC
Type: Release Notes
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md

Source: MISC
Type: Patch
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08

Source: MISC
Type: Patch, Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2014-4660

Source: MISC
Type: Mailing List, Patch, Third Party Advisory
https://www.openwall.com/lists/oss-security/2014/06/26/19

Source: MISC
Type: Third Party Advisory, VDB Entry
https://www.securityfocus.com/bid/68231

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-4660

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:ansible:*:*:*:*:*:*:*:* (Version < 1.5.5)

Configuration CCN 1:

cpe:/a:redhat:ansible:1.5.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.xenial:def:201446600000000	V	CVE-2014-4660 on Ubuntu 16.04 LTS (xenial) - medium.	2020-02-20
oval:com.ubuntu.bionic:def:201446600000000	V	CVE-2014-4660 on Ubuntu 18.04 LTS (bionic) - medium.	2020-02-20
oval:com.ubuntu.artful:def:20144660000	V	CVE-2014-4660 on Ubuntu 17.10 (artful) - medium.	2014-06-26
oval:com.ubuntu.xenial:def:20144660000	V	CVE-2014-4660 on Ubuntu 16.04 LTS (xenial) - medium.	2014-06-26
oval:com.ubuntu.disco:def:201446600000000	V	CVE-2014-4660 on Ubuntu 19.04 (disco) - medium.	2014-06-26
oval:com.ubuntu.bionic:def:20144660000	V	CVE-2014-4660 on Ubuntu 18.04 LTS (bionic) - medium.	2014-06-26
oval:com.ubuntu.cosmic:def:201446600000000	V	CVE-2014-4660 on Ubuntu 18.10 (cosmic) - medium.	2014-06-26
oval:com.ubuntu.cosmic:def:20144660000	V	CVE-2014-4660 on Ubuntu 18.10 (cosmic) - medium.	2014-06-26
oval:com.ubuntu.trusty:def:20144660000	V	CVE-2014-4660 on Ubuntu 14.04 LTS (trusty) - medium.	2014-06-26

BACK