CVE-2020-10729
First published: Mon May 04 2020(Updated: )
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Ansible Engine | <2.9.6 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Debian Debian Linux | =10.0 | |
| debian/ansible | 2.7.7+dfsg-1+deb10u1 2.7.7+dfsg-1+deb10u2 2.10.7+merged+base+2.10.8+dfsg-1 7.3.0+dfsg-1 7.7.0+dfsg-3 | |
| pip/ansible | <2.9.6 | 2.9.6 |
| redhat/ansible-engine | <2.9.6 | 2.9.6 |
| All of | ||
| Any of | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Ansible Engine | <2.9.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089
- https://github.com/ansible/ansible/issues/34144
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/ansible/ansible/pull/67429/
- https://github.com/ansible/ansible/commit/b38603c45ed3a53574ec2080fb3a24db38ab5bc6
- https://github.com/ansible/ansible/commit/87a9485b2f5a3188460f0a0219d2e0d990ce4e67
- https://security-tracker.debian.org/tracker/CVE-2020-10729
- https://nvd.nist.gov/vuln/detail/CVE-2020-10729
- https://github.com/ansible/ansible/blob/v2.9.6/changelogs/CHANGELOG-v2.9.rst
- https://github.com/ansible/ansible/pull/67429
- https://github.com/ansible/ansible/commit/c520d70bf4748c8ee6718a7d0d0254051ba1c2e9
- https://github.com/advisories/GHSA-r6h7-5pq2-j77h (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-105.yaml
- https://access.redhat.com/errata/RHBA-2020:0784
Frequently Asked Questions
What is CVE-2020-10729?
CVE-2020-10729 is a vulnerability in Ansible that allows for the generation of insufficiently random values, potentially leading to the exposure of sensitive information.
What is the severity of CVE-2020-10729?
The severity of CVE-2020-10729 is medium, with a severity score of 5.5.
How does CVE-2020-10729 affect Ansible?
CVE-2020-10729 affects Ansible by allowing two random password lookups of the same length to generate equal values, potentially exposing all passwords due to template caching.
Which software versions are affected by CVE-2020-10729?
The affected software versions include Ansible 2.9.6, Redhat Ansible Engine up to version 2.9.6, and Debian Debian Linux 10.0 with specific package versions.
How can I fix CVE-2020-10729?
To fix CVE-2020-10729, it is recommended to update to the latest patched version of Ansible or apply the specific remedy provided by the vendor.
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r6h7-5pq2-j77h
- alias/CVE-2020-10729
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- agent/event
- collector/github-advisory
- vendor/redhat
- canonical/redhat ansible engine
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- package-manager/debian
- package-manager/pip
- package-manager/redhat