Vulnerability Details : CVE-2020-1739
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
Vulnerability category: Information leak
Products affected by CVE-2020-1739
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-1739
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-1739
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.3
|
LOW | AV:L/AC:M/Au:N/C:P/I:P/A:N |
3.4
|
4.9
|
NIST | |
3.9
|
LOW | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
1.3
|
2.5
|
Red Hat, Inc. | |
3.9
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
1.3
|
2.5
|
NIST |
CWE ids for CVE-2020-1739
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2020-1739
-
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
[SECURITY] [DLA 2202-1] ansible security updateMailing List;Third Party Advisory
-
https://github.com/ansible/ansible/issues/67797
Command used in subversion module is problematic · Issue #67797 · ansible/ansible · GitHubIssue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
[SECURITY] Fedora 30 Update: ansible-2.9.6-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739
1802178 – (CVE-2020-1739) CVE-2020-1739 ansible: svn module leaks password when specified as a parameterIssue Tracking;Patch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/
[SECURITY] Fedora 32 Update: ansible-2.9.6-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
[SECURITY] Fedora 31 Update: ansible-2.9.6-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Release Notes;Third Party Advisory
Jump to