Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1746

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Published

2020-05-12T18:15:13.600

Last Modified

2024-11-21T05:11:17.757

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.0 (MEDIUM)

CVSSv2 Vector

AV:L/AC:M/Au:N/C:P/I:N/A:N

  • Access Vector: LOCAL
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

3.4

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-200
  • Type: Secondary
    CWE-200
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application redhat ansible_engine < 2.7.17 Yes
Application redhat ansible_engine < 2.8.11 Yes
Application redhat ansible_engine < 2.9.7 Yes
Application redhat ansible_tower ≤ 3.4.5 Yes
Application redhat ansible_tower ≤ 3.5.5 Yes
Application redhat ansible_tower ≤ 3.6.3 Yes
Operating System debian debian_linux 10.0 Yes
References