Search for vulnerabilities
Vulnerability details: VCID-u6aj-ej4a-6fe5
Vulnerability ID VCID-u6aj-ej4a-6fe5
Aliases CVE-2018-16859
GHSA-v735-2pp6-h86r
PYSEC-2018-60
Summary Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-532 Insertion of Sensitive Information into Log File
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 4.4 http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
cvssv3.1 4.4 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
cvssv3.1 4.4 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
cvssv3.1 4.4 https://access.redhat.com/errata/RHSA-2018:3770
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:3770
cvssv3.1 4.4 https://access.redhat.com/errata/RHSA-2018:3771
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:3771
cvssv3.1 4.4 https://access.redhat.com/errata/RHSA-2018:3772
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:3772
cvssv3.1 4.4 https://access.redhat.com/errata/RHSA-2018:3773
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2018:3773
cvssv3 4.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16859.json
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00099 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2018-16859
cvssv3.1 4.4 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
cvssv3 4.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-v735-2pp6-h86r
cvssv3.1 4.4 https://github.com/ansible/ansible
generic_textual MODERATE https://github.com/ansible/ansible
cvssv3.1 4.4 https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
generic_textual MODERATE https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
cvssv3.1 4.4 https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f
generic_textual MODERATE https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f
cvssv3.1 4.4 https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87
generic_textual MODERATE https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87
cvssv3.1 4.4 https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b
generic_textual MODERATE https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b
cvssv3.1 4.4 https://github.com/ansible/ansible/pull/49142
generic_textual MODERATE https://github.com/ansible/ansible/pull/49142
cvssv3.1 4.4 https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml
cvssv2 2.1 https://nvd.nist.gov/vuln/detail/CVE-2018-16859
cvssv3 4.4 https://nvd.nist.gov/vuln/detail/CVE-2018-16859
cvssv3.1 4.4 https://nvd.nist.gov/vuln/detail/CVE-2018-16859
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2018-16859
cvssv3.1 4.4 https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004
generic_textual MODERATE https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
https://access.redhat.com/errata/RHSA-2018:3770
https://access.redhat.com/errata/RHSA-2018:3771
https://access.redhat.com/errata/RHSA-2018:3772
https://access.redhat.com/errata/RHSA-2018:3773
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16859.json
https://api.first.org/data/v1/epss?cve=CVE-2018-16859
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16859
https://cwe.mitre.org/data/definitions/200.html
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/ansible/ansible
https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f
https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87
https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b
https://github.com/ansible/ansible/commit/8c1f701e6e9df29fe991f98265e2dd76acca4b8c
https://github.com/ansible/ansible/pull/49142
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml
https://nvd.nist.gov/vuln/detail/CVE-2018-16859
https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004
http://www.securityfocus.com/bid/106004
1649607 https://bugzilla.redhat.com/show_bug.cgi?id=1649607
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
GHSA-v735-2pp6-h86r https://github.com/advisories/GHSA-v735-2pp6-h86r
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3770
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3771
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3772
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/errata/RHSA-2018:3773
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16859.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16859
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible/blob/v2.5.13/changelogs/CHANGELOG-v2.5.rst
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible/commit/0d746b4198abf84290a093b83cf02b4203d73d9f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible/commit/2f8d3fcf41107efafc14d51ab6e14531ca8f8c87
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible/commit/4d748d34f9392aa469da00a85c8e2d5fe6cec52b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/ansible/ansible/pull/49142
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-60.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16859
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16859
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2018-16859
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20200227102121/http://www.securityfocus.com/bid/106004
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.28266
EPSS Score 0.00099
Published At Sept. 16, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:07:18.000761+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2018-60.yaml 37.0.0