Data Disclosure Vulnerability in Ansible Engine and Ansible Tower by Red Hat
CVE-2020-1746

5MEDIUM

Key Information:

Vendor: Red Hat
Status: Ansible
Vendor: CVE Published:; 12 May 2020

Summary

A vulnerability exists in the Ansible Engine and Ansible Tower, allowing the LDAP bind password to be exposed in standard output or log files. This occurs when playbook tasks use the 'bind_pw' parameter in the ldap_attr and ldap_entry community modules, potentially compromising sensitive information and impacting data confidentiality.

Affected Version(s)

ansible ansible-engine versions 2.7.x before 2.7.17

ansible ansible-engine versions 2.8.x before 2.8.11

ansible ansible-engine versions 2.9.x before 2.9.7

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746

x_refsource_CONFIRM

https://github.com/ansible/ansible/pull/67866

x_refsource_CONFIRM

https://www.debian.org/security/2021/dsa-4950

vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:

5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 12, 2020
Vulnerability Reserved
Nov 27, 2019

.