← Voltar para CVEs
CVE-2020-1746
MEDIUM5.0
Descricao
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
Detalhes CVE
Pontuacao CVSS v3.15.0
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Vetor de ataqueLOCAL
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioREQUIRED
Publicado5/12/2020
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
debian:debian_linuxredhat:ansible_engineredhat:ansible_tower
Fraquezas (CWE)
CWE-200CWE-200
Referencias
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746(secalert@redhat.com)
https://github.com/ansible/ansible/pull/67866(secalert@redhat.com)
https://www.debian.org/security/2021/dsa-4950(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/ansible/ansible/pull/67866(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4950(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.