{"api_version":"1","generated_at":"2026-04-23T04:20:57+00:00","cve":"CVE-2020-1746","urls":{"html":"https://cve.report/CVE-2020-1746","api":"https://cve.report/api/cve/CVE-2020-1746.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-1746","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-1746"},"summary":{"title":"CVE-2020-1746","description":"A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-05-12 18:15:00","updated_at":"2023-11-07 03:19:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://github.com/ansible/ansible/pull/67866","name":"https://github.com/ansible/ansible/pull/67866","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_etnry by abadger · Pull Request #67866 · ansible/ansible · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2021/dsa-4950","name":"DSA-4950","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4950-1 ansible","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"1805491 – (CVE-2020-1746) CVE-2020-1746 ansible: Information disclosure issue in ldap_attr and ldap_entry modules","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-1746","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1746","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_engine","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_engine","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"3.4.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_tower","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"3.5.5","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_tower","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1746","vulnerable":"1","versionEndIncluding":"3.6.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_tower","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-1746","qid":"178744","title":"Debian Security Update for ansible (DSA 4950-1)"},{"cve":"CVE-2020-1746","qid":"356226","title":"Amazon Linux Security Advisory for ansible : ALASANSIBLE2-2023-008"},{"cve":"CVE-2020-1746","qid":"500010","title":"Alpine Linux Security Update for ansible"},{"cve":"CVE-2020-1746","qid":"501350","title":"Alpine Linux Security Update for ansible-base"},{"cve":"CVE-2020-1746","qid":"980401","title":"Python (pip) Security Update for ansible (GHSA-j2h6-73x8-22c4)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-1746","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Red Hat","product":{"product_data":[{"product_name":"ansible","version":{"version_data":[{"version_value":"ansible-engine versions 2.7.x before 2.7.17"},{"version_value":"ansible-engine versions 2.8.x before 2.8.11"},{"version_value":"ansible-engine versions 2.9.x before 2.9.7"},{"version_value":"Ansible Tower <= 3.4.5"},{"version_value":"Ansible Tower <= 3.5.5"},{"version_value":"Ansible Tower <= 3.6.3"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200"}]}]},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746","refsource":"CONFIRM"},{"url":"https://github.com/ansible/ansible/pull/67866","name":"https://github.com/ansible/ansible/pull/67866","refsource":"CONFIRM"},{"refsource":"DEBIAN","name":"DSA-4950","url":"https://www.debian.org/security/2021/dsa-4950"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality."}]},"impact":{"cvss":[[{"vectorString":"5.0/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.0"}]]}},"nvd":{"publishedDate":"2020-05-12 18:15:00","lastModifiedDate":"2023-11-07 03:19:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.3,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":1.9},"severity":"LOW","exploitabilityScore":3.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6.0","versionEndIncluding":"3.6.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5.0","versionEndIncluding":"3.5.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4.0","versionEndIncluding":"3.4.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*","versionStartIncluding":"2.9.0","versionEndExcluding":"2.9.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*","versionStartIncluding":"2.8.0","versionEndExcluding":"2.8.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*","versionStartIncluding":"2.7.0","versionEndExcluding":"2.7.17","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"1746","Ordinal":"160984","Title":"CVE-2020-1746","CVE":"CVE-2020-1746","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"1746","Ordinal":"1","NoteData":"A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"1746","Ordinal":"2","NoteData":"2020-05-12","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"1746","Ordinal":"3","NoteData":"2021-08-07","Type":"Other","Title":"Modified"}]}}}