// For flags

CVE-2020-1746

ansible: Information disclosure issue in ldap_attr and ldap_entry modules

Severity Score

5.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Se detectó un fallo en el Ansible Engine que afectaba a las versiones 2.7.x anteriores a 2.7.17 y versiones 2.8.x anteriores a 2.8.11 y versiones 2.9.x anteriores a 2.9.7 así como en Ansible Tower versiones anteriores e incluyendo a 3.4.5 y 3.5.5 y 3.6.3, cuando son usados los módulos de la comunidad ldap_attr y ldap_entry. El problema revela la contraseña de enlace de LDAP en stdout o un archivo de registro si una tarea del playbook se escribe usando el bind_pw en el campo parameters. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos.

A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-11-27 CVE Reserved
  • 2020-04-22 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
 >= 2.7.0 < 2.7.17
Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.7.0 < 2.7.17"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
 >= 2.8.0 < 2.8.11
Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.8.0 < 2.8.11"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Engine
Search vendor "Redhat" for product "Ansible Engine"
 >= 2.9.0 < 2.9.7
Search vendor "Redhat" for product "Ansible Engine" and version " >= 2.9.0 < 2.9.7"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Tower
Search vendor "Redhat" for product "Ansible Tower"
 >= 3.4.0 <= 3.4.5
Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.4.0 <= 3.4.5"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Tower
Search vendor "Redhat" for product "Ansible Tower"
 >= 3.5.0 <= 3.5.5
Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.5.0 <= 3.5.5"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Tower
Search vendor "Redhat" for product "Ansible Tower"
 >= 3.6.0 <= 3.6.3
Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.6.0 <= 3.6.3"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected