Moderate severityNVD Advisory· Published Feb 20, 2020· Updated Aug 6, 2024

CVE-2014-4658

Description

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible before 1.5.5 fails to set a restrictive umask when creating or modifying vault files, allowing local users to read sensitive key material.

Vulnerability

Overview

The vault subsystem in Ansible versions prior to 1.5.5 did not explicitly set the umask before creating or modifying a vault file. This oversight meant that vault files could be created with overly permissive file permissions, potentially exposing the encrypted vault content to other local users on the same system. The flaw is rooted in the file-handling logic of ansible-vault, which relied on the system's default umask rather than enforcing a secure, restrictive mask before file operations [1][2].

Exploitation

Scenario

To exploit CVE-2014-4658, an attacker must have local access to the system where Ansible vault files are created or edited. No special privileges are required beyond the ability to read files in the directory where the vault file resides. If the vault file is created with group- or world-readable permissions due to a permissive umask, a local adversary can simply read the file to obtain the encrypted vault content [2]. While the vault data is encrypted, successful decryption would still require the vault password; however, the vulnerability primarily increases the risk of unauthorized access to the encrypted key store.

Impact

A local attacker who can read the vault file gains access to the encrypted sensitive information stored within, which may include passwords, API keys, or other secrets managed by Ansible Vault. Although the vault data remains encrypted, the exposure of the file itself is a confidentiality breach. In environments where vault files are shared across users or stored in world-readable locations, this vulnerability could lead to credential disclosure [2][4].

Mitigation

The issue was fixed in Ansible release 1.5.5, released on April 18, 2014. The fix ensures that the umask is set to a restrictive mode before any vault file creation or modification, preventing unintended group or world read access [1]. Users are strongly advised to upgrade to Ansible 1.5.5 or later. For those unable to upgrade immediately, manually setting a restrictive umask (e.g., umask 077) before running Ansible Vault commands can serve as a temporary workaround.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	< 1.5.5	1.5.5

Affected products

Ansible/Ansibledescription
ghsa-coords
pkg:pypi/ansible
Range: < 1.5.5

Patches

a0e027fe362f

Make sure umask is set restrictively before creating any vault files

https://github.com/ansible/ansibleJames CammarataApr 18, 2014via ghsa

commit

1 file changed · +8 −0

lib/ansible/utils/vault.py+8 −0 modified

@@ -189,13 +189,15 @@ def create_file(self):
             raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename)
 
         # drop the user into vim on file
+        old_umask = os.umask(0077)
         EDITOR = os.environ.get('EDITOR','vim')
         call([EDITOR, self.filename])
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
         this_vault.cipher_name = self.cipher_name
         enc_data = this_vault.encrypt(tmpdata)
         self.write_data(enc_data, self.filename)
+        os.umask(old_umask)
 
     def decrypt_file(self):
 
@@ -218,6 +220,9 @@ def edit_file(self):
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
+        # make sure the umask is set to a sane value
+        old_mask = os.umask(0077)
+
         # decrypt to tmpfile
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
@@ -243,6 +248,9 @@ def edit_file(self):
         # shuffle tmp file into place
         self.shuffle_files(tmp_path, self.filename)
 
+        # and restore the old umask
+        os.umask(old_mask)
+
     def encrypt_file(self):
 
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5g4v-2pc6-4hh4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-4658ghsaADVISORY
github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.mdghsax_refsource_CONFIRMWEB
github.com/ansible/ansible/commit/a0e027fe362fbc209dbeff2f72d6e95f39885c69ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-200.yamlghsaWEB
web.archive.org/web/20210120133853/https://www.securityfocus.com/bid/68233ghsaWEB
www.securityfocus.com/bid/68233mitrevdb-entryx_refsource_BID

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000