CVE-2020-10729
Last modified
CVE-2020-10729 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible Engine | < 2.9.6 |
| Debian | Debian Linux | 10.0 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089Issue Tracking, Vendor Advisory
- https://github.com/ansible/ansible/issues/34144Exploit, Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2021/dsa-4950Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089Issue Tracking, Vendor Advisory
- https://github.com/ansible/ansible/issues/34144Exploit, Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2021/dsa-4950Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-10729?
How severe is CVE-2020-10729?
How do I fix CVE-2020-10729?
Are you affected by CVE-2020-10729?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST