CVE-2020-1746 : A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Published 2020-05-12 18:15:14

Updated 2021-10-19 14:14:58

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2020-1746

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-1746

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
1.9	LOW	AV:L/AC:M/Au:N/C:P/I:N/A:N	3.4	2.9	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.0	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N	1.3	3.6	Red Hat, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.0	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N	1.3	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2020-1746

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2020-1746

https://github.com/ansible/ansible/pull/67866

CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_etnry by abadger · Pull Request #67866 · ansible/ansible · GitHub
Patch;Third Party Advisory
https://www.debian.org/security/2021/dsa-4950

Debian -- Security Information -- DSA-4950-1 ansible
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746

1805491 – (CVE-2020-1746) CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_entry modules
Issue Tracking;Vendor Advisory

Products affected by CVE-2020-1746

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Tower
Versions from including (>=) 3.6.0 and up to, including, (<=) 3.6.3
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Tower
Versions from including (>=) 3.5.0 and up to, including, (<=) 3.5.5
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Tower
Versions from including (>=) 3.4.0 and up to, including, (<=) 3.4.5
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Engine
Versions from including (>=) 2.8.0 and before (<) 2.8.11
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Engine
Versions from including (>=) 2.7.0 and before (<) 2.7.17
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Engine
Versions from including (>=) 2.9.0 and before (<) 2.9.7
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2020-1746

Exploit prediction scoring system (EPSS) score for CVE-2020-1746

CVSS scores for CVE-2020-1746

CWE ids for CVE-2020-1746

References for CVE-2020-1746

Products affected by CVE-2020-1746