—

PYSEC-2020-202

상세

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / ansible

최초 영향 버전: 0 수정 버전: c4b5e46054c74176b2446c82d4df1a2610eddc08

수정 pip install --upgrade 'ansible>=c4b5e46054c74176b2446c82d4df1a2610eddc08'

참고

https://security-tracker.debian.org/tracker/CVE-2014-4660 [WEB]
https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08 [FIX]
https://www.securityfocus.com/bid/68231 [WEB]
https://www.openwall.com/lists/oss-security/2014/06/26/19 [WEB]
https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md [WEB]