CVE-2020-1739: Infoleak
First published: Wed Feb 12 2020(Updated: )
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible-engine | <2.7.17 | 2.7.17 |
| redhat/ansible-engine | <2.8.11 | 2.8.11 |
| redhat/ansible-engine | <2.9.7 | 2.9.7 |
| Redhat Ansible | <=2.7.16 | |
| Redhat Ansible | >=2.8.0<=2.8.8 | |
| Redhat Ansible | >=2.9.0<=2.9.5 | |
| Redhat Ansible Tower | <=3.3.4 | |
| Redhat Ansible Tower | >=3.4.0<=3.4.5 | |
| Redhat Ansible Tower | >=3.5.0<=3.5.5 | |
| Redhat Ansible Tower | >=3.6.0<=3.6.3 | |
| Redhat Cloudforms Management Engine | =5.0 | |
| Redhat Openstack | =13 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =10.0 | |
| debian/ansible | 2.7.7+dfsg-1+deb10u1 2.7.7+dfsg-1+deb10u2 2.10.7+merged+base+2.10.8+dfsg-1 7.3.0+dfsg-1 7.7.0+dfsg-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739
- https://github.com/ansible/ansible/issues/67797
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/
- https://www.debian.org/security/2021/dsa-4950
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805322
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805321
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1802178#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1807879
- https://access.redhat.com/errata/RHSA-2020:1541
- https://access.redhat.com/errata/RHSA-2020:1542
- https://access.redhat.com/errata/RHSA-2020:1543
- https://access.redhat.com/errata/RHSA-2020:1544
- https://access.redhat.com/security/cve/cve-2020-1739
- https://bugzilla.redhat.com/show_bug.cgi?id=1802178
- https://github.com/ansible/ansible/pull/67829
- https://github.com/ansible/ansible/commit/d91658ec0c8434c82c3ef98bfe9eb4e1027a43a3
- https://security-tracker.debian.org/tracker/CVE-2020-1739
Frequently Asked Questions
What is CVE-2020-1739?
CVE-2020-1739 is a vulnerability in Ansible that allows the disclosure of a password set with the argument "password" of the svn module, when it is used on the svn command line.
What is the severity of CVE-2020-1739?
CVE-2020-1739 has a severity level of low with a CVSS score of 3.9.
How does CVE-2020-1739 affect Ansible?
CVE-2020-1739 affects Ansible versions 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior.
How can I fix CVE-2020-1739?
To fix CVE-2020-1739, update Ansible to version 2.7.17, 2.8.11, or 2.9.7.
Where can I find more information about CVE-2020-1739?
You can find more information about CVE-2020-1739 on the Red Hat Bugzilla page: [link](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1805322)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1739
- agent/software-canonical-lookup
- collector/security-tracker-debian
- vendor/redhat
- canonical/redhat ansible
- version/redhat ansible/2.7.16
- version/redhat ansible/2.8.0
- version/redhat ansible/2.8.8
- version/redhat ansible/2.9.0
- version/redhat ansible/2.9.5
- canonical/redhat ansible tower
- version/redhat ansible tower/3.3.4
- version/redhat ansible tower/3.4.0
- version/redhat ansible tower/3.4.5
- version/redhat ansible tower/3.5.0
- version/redhat ansible tower/3.5.5
- version/redhat ansible tower/3.6.0
- version/redhat ansible tower/3.6.3
- canonical/redhat cloudforms management engine
- version/redhat cloudforms management engine/5.0
- canonical/redhat openstack
- version/redhat openstack/13
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/10.0
- package-manager/redhat
- package-manager/debian