First published: Mon May 04 2020(Updated: )
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/ansible | <2.9.6 | 2.9.6 |
redhat/ansible-engine | <2.9.6 | 2.9.6 |
debian/ansible | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 7.7.0+dfsg-3+deb12u1 11.2.0+dfsg-1 | |
All of | ||
Red Hat Ansible Engine | <2.9.6 | |
Any of | ||
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =8.0 | |
Debian Linux | =10.0 | |
Red Hat Ansible Engine | <2.9.6 | |
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-10729 is a vulnerability in Ansible that allows for the generation of insufficiently random values, potentially leading to the exposure of sensitive information.
The severity of CVE-2020-10729 is medium, with a severity score of 5.5.
CVE-2020-10729 affects Ansible by allowing two random password lookups of the same length to generate equal values, potentially exposing all passwords due to template caching.
The affected software versions include Ansible 2.9.6, Redhat Ansible Engine up to version 2.9.6, and Debian Debian Linux 10.0 with specific package versions.
To fix CVE-2020-10729, it is recommended to update to the latest patched version of Ansible or apply the specific remedy provided by the vendor.