CVE-2020-1746

Current Description

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Basic Data

PublishedMay 12, 2020
Last ModifiedMay 26, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-200
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score1.9
SeverityLOW
Exploitability Score3.4
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatAnsible Engine********2.7.02.7.17
    2.3ApplicationRedhatAnsible Engine********2.8.02.8.11
    2.3ApplicationRedhatAnsible Engine********2.9.02.9.7
    2.3ApplicationRedhatAnsible Tower********3.4.03.4.5
    2.3ApplicationRedhatAnsible Tower********3.5.03.5.5
    2.3ApplicationRedhatAnsible Tower********3.6.03.6.3

Vulnerable Software List

VendorProductVersions
Redhat Ansible Tower *
Redhat Ansible Engine *

References

NameSourceURLTags
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746CONFIRMIssue Tracking Vendor Advisory
https://github.com/ansible/ansible/pull/67866https://github.com/ansible/ansible/pull/67866CONFIRMPatch Third Party Advisory