CVE-2020-1753 — MEDIUM (5.0)

Q: How severe is CVE-2020-1753?

CVE-2020-1753 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-1753?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Ansible Engine	< 2.7.18
Redhat	Ansible Tower	<= 3.3.4
Debian	Debian Linux	10.0
Fedoraproject	Fedora	30

Related Weaknesses (CWE)

CWE-532 CWE-214 CWE-200

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1753Issue TrackingVendor Advisory
https://github.com/ansible-collections/kubernetes/pull/51ExploitPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202006-11Third Party Advisory
https://www.debian.org/security/2021/dsa-4950Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1753Issue TrackingVendor Advisory
https://github.com/ansible-collections/kubernetes/pull/51ExploitPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202006-11Third Party Advisory
https://www.debian.org/security/2021/dsa-4950Third Party Advisory

FAQ

What is CVE-2020-1753?

CVE-2020-1753 is a vulnerability with a CVSS score of 5.0 (MEDIUM). A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kuberne...

How severe is CVE-2020-1753?

CVE-2020-1753 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-1753?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Debian Debian Linux, Fedoraproject Fedora.