Candidate: CVE-2014-4660
PublicDate: 2020-02-20 03:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4660
 http://www.openwall.com/lists/oss-security/2014/06/26/19
Description:
 Ansible before 1.5.5 constructs filenames containing user and password
 fields on the basis of deb lines in sources.list, which might allow local
 users to obtain sensitive credential information in opportunistic
 circumstances by leveraging existence of a file that uses the "deb
 http://user:pass@server:port/" format.
Ubuntu-Description:
 It was discovered that Ansible created filenames containing sensitive information.
 An attacker could use this vulnerability to obtain unauthorized access to a 
 private Ubuntu repository.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM]

Patches_ansible:
 upstream: https://github.com/ansible/ansible/commit/c4b5e46054c74176b2446c82d4df1a2610eddc08
upstream_ansible: released (1.5.5+dfsg-1)
lucid_ansible: DNE
precise_ansible: DNE
precise/esm_ansible: DNE
saucy_ansible: ignored (reached end-of-life)
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: released (1.5.4+dfsg-1ubuntu0.1~esm2)
utopic_ansible: not-affected (1.6.5+dfsg-1)
vivid_ansible: not-affected (1.6.5+dfsg-1)
vivid/stable-phone-overlay_ansible: DNE
vivid/ubuntu-core_ansible: DNE
wily_ansible: not-affected (1.6.5+dfsg-1)
xenial_ansible: not-affected (1.6.5+dfsg-1)
yakkety_ansible: not-affected (1.6.5+dfsg-1)
zesty_ansible: not-affected (1.6.5+dfsg-1)
artful_ansible: not-affected (1.6.5+dfsg-1)
bionic_ansible: not-affected (1.6.5+dfsg-1)
cosmic_ansible: not-affected (1.6.5+dfsg-1)
disco_ansible: not-affected (1.6.5+dfsg-1)
eoan_ansible: not-affected (1.6.5+dfsg-1)
focal_ansible: not-affected (1.6.5+dfsg-1)
groovy_ansible: not-affected (1.6.5+dfsg-1)
hirsute_ansible: not-affected (1.6.5+dfsg-1)
impish_ansible: not-affected (1.6.5+dfsg-1)
jammy_ansible: not-affected (1.6.5+dfsg-1)
devel_ansible: not-affected (1.6.5+dfsg-1)