Vulnerability Details : CVE-2020-10729
Potential exploit
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
Products affected by CVE-2020-10729
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-10729
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10729
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-10729
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-10729
-
https://bugzilla.redhat.com/show_bug.cgi?id=1831089
1831089 – (CVE-2020-10729) CVE-2020-10729 Ansible: two random password lookups in same task return same valueIssue Tracking;Vendor Advisory
-
https://github.com/ansible/ansible/issues/34144
two random password lookups in same task return same value · Issue #34144 · ansible/ansible · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
Jump to