CVE-2020-1753
Summary
| CVE | CVE-2020-1753 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-03-16 15:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files. |
Risk And Classification
Problem Types: CWE-200 | CWE-532 | CWE-214
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Application | Redhat | Ansible Engine | All | All | All | All |
| Application | Redhat | Ansible Engine | All | All | All | All |
| Application | Redhat | Ansible Engine | All | All | All | All |
| Application | Redhat | Ansible Engine | All | All | All | All |
| Application | Redhat | Ansible Tower | All | All | All | All |
| Application | Redhat | Ansible Tower | All | All | All | All |
| Application | Redhat | Ansible Tower | All | All | All | All |
| Application | Redhat | Ansible Tower | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| warn about disclosure when using certain options by bcoca · Pull Request #51 · ansible-collections/community.kubernetes · GitHub | CONFIRM | github.com | Exploit, Patch, Third Party Advisory |
| [SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Ansible: Multiple vulnerabilities (GLSA 202006-11) — Gentoo security | GENTOO | security.gentoo.org | |
| 1811008 – (CVE-2020-1753) CVE-2020-1753 Ansible: kubectl connection plugin leaks sensitive information | CONFIRM | bugzilla.redhat.com | Issue Tracking, Vendor Advisory |
| [SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Debian -- Security Information -- DSA-4950-1 ansible | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.