Miggo Logo

CVE-2014-4658: Ansible Sensitive Files Are Locally Readable

5.5

CVSS Score
3.1

Basic Information

EPSS Score
0.31768%
Published
5/17/2022
Updated
9/5/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip< 1.5.51.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing umask restrictions in vault file operations. The GitHub commit a0e027f explicitly adds umask(0077) calls in these two functions to fix the issue. The pre-patch code lacked these protections, leaving file creation/modification vulnerable to permission leaks. Both functions directly handle vault file I/O without proper permission constraints in vulnerable versions, matching the CVE description of insecure umask handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ult su*syst*m in *nsi*l* ***or* *.*.* *o*s not s*t t** um*sk ***or* *r**tion or mo*i*i**tion o* * v*ult *il*, w*i** *llows lo**l us*rs to o*t*in s*nsitiv* k*y in*orm*tion *y r***in* * *il*.

Reasoning

T** vuln*r**ility st*ms *rom missin* um*sk r*stri*tions in v*ult *il* op*r*tions. T** *it*u* *ommit ******* *xpli*itly ***s `um*sk(****)` **lls in t**s* two *un*tions to *ix t** issu*. T** pr*-p*t** *o** l**k** t**s* prot**tions, l**vin* *il* *r**tio