CVE-2020-1753 MEDIUM

CVE-2020-1753

Vendor Red Hat

Product Ansible

Weakness CWE-200 · Info exposure

Published March 16, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

Key dates

02Disclosure timeline

March 16, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-1753 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2020-1753

CWE CWE-200

CVSS 5.0 / MEDIUM

Affected versions

Vendor Red Hat

Product Ansible

Affected all Ansible 2.7.x versions prior to 2.7.17

Vendor Red Hat

Product Ansible

Affected all Ansible 2.8.x versions prior to 2.8.11

Vendor Red Hat

Product Ansible

Affected all Ansible 2.9.x versions prior to 2.9.7

CVE-2020-1753

01Description

02Disclosure timeline

03References

04Related CVE