Vulnerability Description
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible Engine | >= 2.7.0, < 2.7.17 |
| Redhat | Ansible Tower | >= 3.4.0, <= 3.4.5 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746Issue TrackingVendor Advisory
- https://github.com/ansible/ansible/pull/67866PatchThird Party Advisory
- https://www.debian.org/security/2021/dsa-4950Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746Issue TrackingVendor Advisory
- https://github.com/ansible/ansible/pull/67866PatchThird Party Advisory
- https://www.debian.org/security/2021/dsa-4950Third Party Advisory
FAQ
What is CVE-2020-1746?
CVE-2020-1746 is a vulnerability with a CVSS score of 5.0 (MEDIUM). A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5...
How severe is CVE-2020-1746?
CVE-2020-1746 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-1746?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Debian Debian Linux.