CVE-2020-1746

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

19 Oct 2021, 14:14

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4950 - Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Information

Published : 2020-05-12 18:15

Updated : 2023-12-10 13:27


NVD link : CVE-2020-1746

Mitre link : CVE-2020-1746

CVE.ORG link : CVE-2020-1746


JSON object : View

Products Affected

debian

  • debian_linux

redhat

  • ansible_tower
  • ansible_engine
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor