CVE-2017-7550
critical
CVSS v3
9.8
CVSS v2
5.0
VIR risk
9.8
Description
A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-7550.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-7550
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.4.2.0+dfsg-1 |
| debian | bullseye | fixed | 2.4.2.0+dfsg-1 |
| debian | forky | fixed | 2.4.2.0+dfsg-1 |
| debian | sid | fixed | 2.4.2.0+dfsg-1 |
| debian | trixie | fixed | 2.4.2.0+dfsg-1 |
| sles | affected | | |
| rhel | 7.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | ansible | {"startIncluding":"2.3.0","endExcluding":"2.3.3"} | 2.3.3 |
References
- https://security-tracker.debian.org/tracker/CVE-2017-7550
- https://nvd.nist.gov/vuln/detail/CVE-2017-7550
- https://github.com/ansible/ansible/issues/30874
- https://github.com/ansible/ansible/commit/facbf7f14da29eea67ef68ab386fc15bd06d7c7f
- https://access.redhat.com/errata/RHSA-2017:2966
- https://access.redhat.com/security/cve/CVE-2017-7550
- https://bugzilla.redhat.com/show_bug.cgi?id=1473645
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-4.yaml
- https://www.suse.com/security/cve/CVE-2017-7550.html
CWEs
CWE-532
Verify integrity in audit chain (admin only). AS-IS.