CVE-2020-1746

low-risk

Published 2020-05-12

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

LOCAL / LOW complexity

Affected Products (3)

Ansible Engine

Ansible Tower

Debian Linux

Affected Vendors

Debian Redhat

References (6)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746

Patch https://github.com/ansible/ansible/pull/67866

Third Party Advisory https://www.debian.org/security/2021/dsa-4950

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746

Patch https://github.com/ansible/ansible/pull/67866

Third Party Advisory https://www.debian.org/security/2021/dsa-4950

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 9/34 · Low