cnvd - cnvd-2021-40762

cnvd-2021-40762

Vulnerability from cnvd

Title: Red Hat Ansible安全特征问题漏洞

Description:

Red Hat Ansible是美国红帽（Red Hat）公司的一款计算机系统配置管理器。该产品可用于发布、管理和编排计算机系统。

Ansible 2.9.6版本之前存在安全漏洞，该漏洞源于程序使用的随机值不足时发现了一个缺陷，该缺陷会将所有密码都会同时暴露。目前没有详细的漏洞细节提供。

Severity: 低

Patch Name: Red Hat Ansible安全特征问题漏洞的补丁

Patch Description:

Red Hat Ansible是美国红帽（Red Hat）公司的一款计算机系统配置管理器。该产品可用于发布、管理和编排计算机系统。

Ansible 2.9.6版本之前存在安全漏洞，该漏洞源于程序使用的随机值不足时发现了一个缺陷，该缺陷会将所有密码都会同时暴露。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://bugzilla.redhat.com/show_bug.cgi?id=1831089

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-10729

Impacted products

Name
Red Hat Ansible <2.9.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-10729"
    }
  },
  "description": "Red Hat Ansible\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u8ba1\u7b97\u673a\u7cfb\u7edf\u914d\u7f6e\u7ba1\u7406\u5668\u3002\u8be5\u4ea7\u54c1\u53ef\u7528\u4e8e\u53d1\u5e03\u3001\u7ba1\u7406\u548c\u7f16\u6392\u8ba1\u7b97\u673a\u7cfb\u7edf\u3002\n\nAnsible 2.9.6\u7248\u672c\u4e4b\u524d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u7684\u968f\u673a\u503c\u4e0d\u8db3\u65f6\u53d1\u73b0\u4e86\u4e00\u4e2a\u7f3a\u9677\uff0c\u8be5\u7f3a\u9677\u4f1a\u5c06\u6240\u6709\u5bc6\u7801\u90fd\u4f1a\u540c\u65f6\u66b4\u9732\u3002 \u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1831089",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-40762",
  "openTime": "2021-06-10",
  "patchDescription": "Red Hat Ansible\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u8ba1\u7b97\u673a\u7cfb\u7edf\u914d\u7f6e\u7ba1\u7406\u5668\u3002\u8be5\u4ea7\u54c1\u53ef\u7528\u4e8e\u53d1\u5e03\u3001\u7ba1\u7406\u548c\u7f16\u6392\u8ba1\u7b97\u673a\u7cfb\u7edf\u3002\r\n\r\nAnsible 2.9.6\u7248\u672c\u4e4b\u524d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u4f7f\u7528\u7684\u968f\u673a\u503c\u4e0d\u8db3\u65f6\u53d1\u73b0\u4e86\u4e00\u4e2a\u7f3a\u9677\uff0c\u8be5\u7f3a\u9677\u4f1a\u5c06\u6240\u6709\u5bc6\u7801\u90fd\u4f1a\u540c\u65f6\u66b4\u9732\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Red Hat Ansible\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Red Hat Ansible \u003c2.9.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-10729",
  "serverity": "\u4f4e",
  "submitTime": "2021-05-28",
  "title": "Red Hat Ansible\u5b89\u5168\u7279\u5f81\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2020-10729 (GCVE-0-2020-10729)

Vulnerability from cvelistv5

Published

2021-05-27 18:46

Modified

2024-08-04 11:14

Severity ?

CWE

CWE-330

Summary

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

References

▼	URL	Tags
	https://bugzilla.redhat.com/show_bug.cgi?id=1831089	x_refsource_MISC
	https://github.com/ansible/ansible/issues/34144	x_refsource_MISC
	https://www.debian.org/security/2021/dsa-4950	vendor-advisory, x_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	Ansible	Version: ansible-engine 2.9.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T11:14:14.897Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ansible/ansible/issues/34144"
          },
          {
            "name": "DSA-4950",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4950"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Ansible",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "ansible-engine 2.9.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-07T14:06:30",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ansible/ansible/issues/34144"
        },
        {
          "name": "DSA-4950",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4950"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-10729",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Ansible",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "ansible-engine 2.9.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-330"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1831089"
            },
            {
              "name": "https://github.com/ansible/ansible/issues/34144",
              "refsource": "MISC",
              "url": "https://github.com/ansible/ansible/issues/34144"
            },
            {
              "name": "DSA-4950",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4950"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-10729",
    "datePublished": "2021-05-27T18:46:12",
    "dateReserved": "2020-03-20T00:00:00",
    "dateUpdated": "2024-08-04T11:14:14.897Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted