CVE-2018-16859

Name	CVE-2018-16859
Description	Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ansible (PTS)	buster, buster (security)	2.7.7+dfsg-1+deb10u1	fixed
	bullseye	2.10.7+merged+base+2.10.8+dfsg-1	fixed
	bookworm, sid	7.0.0+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ansible	source	(unstable)	(not affected)

- ansible <not-affected> (Only issue when executing Ansible playbooks on Windows platforms)