CVE-2014-4659: Ansible sets unsafe permissions for sources.list

May 17, 2022 (updated September 10, 2024)

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

References

github.com/advisories/GHSA-6667-f46p-pg88
github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md
github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-201.yaml
nvd.nist.gov/vuln/detail/CVE-2014-4659
web.archive.org/web/20200229060001/https://www.securityfocus.com/bid/68234

Detect and mitigate CVE-2014-4659 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →