CVE-2020-1746

5MEDIUM

Key Information:

Vendor
Red Hat
Status
Ansible
Vendor
CVE Published:
12 May 2020

Summary

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Affected Version(s)

ansible ansible-engine versions 2.7.x before 2.7.17

ansible ansible-engine versions 2.8.x before 2.8.11

ansible ansible-engine versions 2.9.x before 2.9.7

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746
x_refsource_CONFIRM
https://github.com/ansible/ansible/pull/67866
x_refsource_CONFIRM
https://www.debian.org/security/2021/dsa-4950
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.