Описание
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
A flaw was found in Ansible Engine. When a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
Отчет
Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package.
Меры по смягчению последствий
Instead of using the parameter 'password' of the subversion module, provide the password with stdin.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ansible-tower | Not affected | ||
| Red Hat Ceph Storage 2 | ansible | Out of support scope | ||
| Red Hat Ceph Storage 3 | ansible | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Out of support scope | ||
| Red Hat OpenStack Platform 13 (Queens) | ansible | Will not fix | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2020:1544 | 22.04.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 7 | ansible | Fixed | RHSA-2020:1543 | 22.04.2020 |
| Red Hat Ansible Engine 2.8 for RHEL 8 | ansible | Fixed | RHSA-2020:1543 | 22.04.2020 |
| Red Hat Ansible Engine 2.9 for RHEL 7 | ansible | Fixed | RHSA-2020:1541 | 22.04.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.9 Low
CVSS3
Связанные уязвимости
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9 ...
Exposure of Sensitive Information to an Unauthorized Actor in Ansible
Уязвимость модуля svn системы управления конфигурациями Ansible, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность
EPSS
3.9 Low
CVSS3