CVE Vulnerability

CVE-2020-10729

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

2.1 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ansible/ansible/issues/34144 Exploit Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1831089 Issue Tracking Vendor Advisory
https://www.debian.org/security/2021/dsa-4950 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Information

Published : 2021-05-27 07:15

Updated : 2021-12-10 07:57

NVD link : CVE-2020-10729

Mitre link : CVE-2020-10729

Products Affected

Ansible Engine

Redhat

CWE
CWE-330