CVE-2020-1746
MEDIUM5.0EPSS 0.12%Exposure of Sensitive Information to an Unauthorized Actor in ansible
發布日:2021/4/20修改日:2025/11/19
也稱為:ALPINE-CVE-2020-1746DEBIAN-CVE-2020-1746
描述
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
受影響套件(5)
- Alpine/ansiblefrom 0, < 2.9.7-r0
- Alpine/ansible-basefrom 0, < 2.9.7-r0
- Debian/ansiblefrom 0, < 2.9.7+dfsg-1
- PyPI/ansible>= 2.8.0a1, < 2.8.11
- PyPI/ansible>= 2.7.0, < 2.7.17, >= 2.8.0, < 2.8.11, >= 2.9.0, < 2.9.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.0 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
參考連結(12)
- ADVISORYhttps://github.com/advisories/GHSA-j2h6-73x8-22c4
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-1746
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2020-1746
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-1746
- PATCHhttps://github.com/ansible/ansible
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746
- WEBhttps://github.com/ansible/ansible/commit/d41e38435b1a9e300d8011ac28f16a5add2db119
- WEBhttps://github.com/ansible/ansible/commit/e6199d768c1c18a4e750ec78d4ded088629baa3f
- WEBhttps://github.com/ansible/ansible/commit/edd1e1723cc937ec9251adf38c1199a00b0bf6d4
- WEBhttps://github.com/ansible/ansible/pull/67866
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-13.yaml
- WEBhttps://www.debian.org/security/2021/dsa-4950