| Name | CVE-2020-10729 |
| Description | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4950-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ansible (PTS) | jessie, jessie (lts) | 1.7.2+dfsg-2+deb8u3 | fixed |
| stretch (security), stretch (lts), stretch | 2.2.1.0-2+deb9u3 | vulnerable |
| buster (security), buster, buster (lts) | 2.7.7+dfsg-1+deb10u2 | fixed |
| bullseye | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 | fixed |
| bookworm | 7.7.0+dfsg-3+deb12u1 | fixed |
| sid, trixie | 10.6.0+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ansible | source | jessie | (not affected) | | | |
| ansible | source | stretch | (unfixed) | end-of-life | | |
| ansible | source | buster | 2.7.7+dfsg-1+deb10u1 | | DSA-4950-1 | |
| ansible | source | (unstable) | 2.9.6+dfsg-1 | | | |
Notes
[stretch] - ansible <end-of-life> (EOL'd for stretch)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, no variables template caching)
https://github.com/ansible/ansible/issues/34144
https://github.com/ansible/ansible/pull/67429/
https://github.com/ansible/ansible/commit/b38603c45ed3a53574ec2080fb3a24db38ab5bc6
Introduced in https://github.com/ansible/ansible/commit/87a9485b2f5a3188460f0a0219d2e0d990ce4e67 (2.0)