Vulnerability DatabaseCVE-2020-1753
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-1753
March 16, 2020
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
Affected Packages
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
ansible (PYTHON):
Affected version(s) >=2.7.0a1 <2.7.18
Fix Suggestion:
Update to version 2.7.18
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.12
Fix Suggestion:
Update to version 2.8.12
Related ResourcesĀ (18)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://github.com/ansible-collections/kubernetes/pull/51
https://github.com/ansible/ansible/commit/273d8538dbe5a7b5c9954f1929d3bb00904c43f6
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1753
https://github.com/ansible-collections/kubernetes
https://nvd.nist.gov/vuln/detail/CVE-2020-1753
https://github.com/advisories/GHSA-86hp-cj9j-33vv
https://www.debian.org/security/2021/dsa-4950
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
https://github.com/ansible/ansible/commit/137caed836ef096945086cfe75dc11587b68db3a
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-210.yaml
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
https://security.gentoo.org/glsa/202006-11
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://github.com/ansible/ansible/commit/04ba05e003b268b83df6c106ba5c0f08548b1380
https://github.com/ansible/ansible/pull/68195
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
2.1
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
Insertion of Sensitive Information into Log File
CWE-532
Invocation of Process Using Visible Sensitive Information
CWE-214
EPSS
Base Score:
0.04