CVE-2020-1739
Published: 12 March 2020
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ansible Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Needed
|
|
| groovy |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| hirsute |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| impish |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| jammy |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| kinetic |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| lunar |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| mantic |
Not vulnerable
(2.9.7+dfsg-1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(2.9.7+dfsg-1, 1.7.2+dfsg-2+deb9u3)
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.9 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |