Home > Vulnerability Database > CVE-2020-1753

Mend.io Vulnerability Database

CVE-2020-1753

Good to know:

Date: March 16, 2020

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

Language: Python

Severity Score

5.0

Related Resources (20)

Url: https://github.com/ansible/ansible/commit/137caed836ef096945086cfe75dc11587b68db3a

Url: https://github.com/ansible/ansible/commit/273d8538dbe5a7b5c9954f1929d3bb00904c43f6

Url: https://www.debian.org/security/2021/dsa-4950

Url: https://github.com/advisories/GHSA-86hp-cj9j-33vv

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-1753

Url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1753

Url: https://github.com/ansible-collections/kubernetes

Url: https://github.com/ansible/ansible/pull/68195

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/

Url: https://github.com/ansible-collections/kubernetes/pull/51

Url: https://security-tracker.debian.org/tracker/CVE-2020-1753

Url: https://github.com/ansible/ansible/commit/04ba05e003b268b83df6c106ba5c0f08548b1380

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S

Url: https://security.gentoo.org/glsa/202006-11

Url: https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-210.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2020-1753

Severity Score

5.0

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insertion of Sensitive Information into Log File

CWE-532

Invocation of Process Using Visible Sensitive Information

CWE-214

Top Fix

Upgrade Version

Upgrade to version ansible - 2.7.18;ansible - 2.8.12;ansible - 2.9.7

Learn More

CVSS v3.1

Base Score:	5.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	2.1
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-1753

Good to know:

Date: March 16, 2020

Language: Python

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?