{ "threat_severity" : "Moderate", "public_date" : "2020-02-28T00:00:00Z", "bugzilla" : { "description" : "ansible: Information disclosure issue in ldap_attr and ldap_entry modules", "id" : "1805491", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1805491" }, "cvss3" : { "cvss3_base_score" : "5.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.", "A flaw was found in the Ansible Engine when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality." ], "statement" : "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.", "acknowledgement" : "Red Hat would like to thank Felix Fountein for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1544", "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7", "package" : "ansible-0:2.7.17-1.el7ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1543", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7", "package" : "ansible-0:2.8.11-1.el7ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1543", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8", "package" : "ansible-0:2.8.11-1.el8ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7", "package" : "ansible-0:2.9.7-1.el7ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8", "package" : "ansible-0:2.9.7-1.el8ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el7", "package" : "ansible-0:2.9.7-1.el7ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el8", "package" : "ansible-0:2.9.7-1.el8ae", "impact" : "low" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-34/ansible-tower-memcached:1.4.15-28", "impact" : "low" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-35/ansible-tower-memcached:1.4.15-28", "impact" : "low" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28", "impact" : "low" }, { "product_name" : "Red Hat Ansible Tower 3.5 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHBA-2020:1539", "cpe" : "cpe:/a:redhat:ansible_tower:3.5::el7", "package" : "ansible-tower-35/ansible-tower:3.5.6-1", "impact" : "low" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5", "impact" : "low" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2", "impact" : "low" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Fix deferred", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-1746\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1746" ], "name" : "CVE-2020-1746", "mitigation" : { "value" : "Using args keyword and embedding the ldap_auth variable instead of using bind_pw parameter would mitigate this issue.", "lang" : "en:us" }, "csaw" : false }