CVE-2020-10729

NameCVE-2020-10729
DescriptionA flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4950-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie, jessie (lts)1.7.2+dfsg-2+deb8u3fixed
stretch (security), stretch (lts), stretch2.2.1.0-2+deb9u3vulnerable
buster (security), buster, buster (lts)2.7.7+dfsg-1+deb10u2fixed
bullseye2.10.7+merged+base+2.10.17+dfsg-0+deb11u1fixed
bookworm7.7.0+dfsg-3+deb12u1fixed
sid, trixie10.5.0+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcejessie(not affected)
ansiblesourcestretch(unfixed)end-of-life
ansiblesourcebuster2.7.7+dfsg-1+deb10u1DSA-4950-1
ansiblesource(unstable)2.9.6+dfsg-1

Notes

[stretch] - ansible <end-of-life> (EOL'd for stretch)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, no variables template caching)
https://github.com/ansible/ansible/issues/34144
https://github.com/ansible/ansible/pull/67429/
https://github.com/ansible/ansible/commit/b38603c45ed3a53574ec2080fb3a24db38ab5bc6
Introduced in https://github.com/ansible/ansible/commit/87a9485b2f5a3188460f0a0219d2e0d990ce4e67 (2.0)

Search for package or bug name: Reporting problems