CVE-2020-10729
First published: Mon May 04 2020(Updated: )
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/ansible | <2.9.6 | 2.9.6 |
| redhat/ansible-engine | <2.9.6 | 2.9.6 |
| debian/ansible | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 7.7.0+dfsg-3+deb12u1 11.2.0+dfsg-1 | |
| All of | ||
| Red Hat Ansible Engine | <2.9.6 | |
| Any of | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Debian Linux | =10.0 | |
| Red Hat Ansible Engine | <2.9.6 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ansible/ansible/issues/34144
- https://github.com/ansible/ansible/pull/67429/
- https://github.com/ansible/ansible/commit/b38603c45ed3a53574ec2080fb3a24db38ab5bc6
- https://github.com/ansible/ansible/commit/87a9485b2f5a3188460f0a0219d2e0d990ce4e67
- https://security-tracker.debian.org/tracker/CVE-2020-10729
- https://nvd.nist.gov/vuln/detail/CVE-2020-10729
- https://bugzilla.redhat.com/show_bug.cgi?id=1831089
- https://github.com/ansible/ansible/blob/v2.9.6/changelogs/CHANGELOG-v2.9.rst
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/ansible/ansible/pull/67429
- https://github.com/ansible/ansible/commit/c520d70bf4748c8ee6718a7d0d0254051ba1c2e9
- https://github.com/advisories/GHSA-r6h7-5pq2-j77h (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-105.yaml
- https://access.redhat.com/errata/RHBA-2020:0784
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10729
- https://launchpad.net/bugs/cve/CVE-2020-10729
- https://ubuntu.com/security/CVE-2020-10729
Frequently Asked Questions
What is CVE-2020-10729?
CVE-2020-10729 is a vulnerability in Ansible that allows for the generation of insufficiently random values, potentially leading to the exposure of sensitive information.
What is the severity of CVE-2020-10729?
The severity of CVE-2020-10729 is medium, with a severity score of 5.5.
How does CVE-2020-10729 affect Ansible?
CVE-2020-10729 affects Ansible by allowing two random password lookups of the same length to generate equal values, potentially exposing all passwords due to template caching.
Which software versions are affected by CVE-2020-10729?
The affected software versions include Ansible 2.9.6, Redhat Ansible Engine up to version 2.9.6, and Debian Debian Linux 10.0 with specific package versions.
How can I fix CVE-2020-10729?
To fix CVE-2020-10729, it is recommended to update to the latest patched version of Ansible or apply the specific remedy provided by the vendor.
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r6h7-5pq2-j77h
- alias/CVE-2020-10729
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- agent/severity
- agent/weakness
- collector/github-advisory
- agent/trending
- agent/author
- collector/launchpad-cve
- source/Launchpad
- agent/references
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/pip
- package-manager/redhat
- package-manager/debian
- vendor/redhat
- canonical/red hat ansible engine
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0