CVE-2020-10729

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

Published: May 27, 2021
Updated: May 9, 2024
CVE: CVE-2020-10729
GHSA: GHSA-r6h7-5pq2-j77h
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.5
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-330

Affected Software
References

Software	From	Fixed in
redhat / ansible_engine	-	2.9.6
debian / debian_linux	10.0	10.0.x
ansible	-	2.9.6

https://bugzilla.redhat.com/show_bug.cgi?id=1831089
https://github.com/ansible/ansible/blob/v2.9.6/changelogs/CHANGELOG-v2.9.rst
https://github.com/ansible/ansible/issues/34144
https://github.com/ansible/ansible/pull/67429/
https://www.debian.org/security/2021/dsa-4950

Vulnerability Database

289,599

CVE-2020-10729