CVE-2020-1746

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.7.16 Ansible Engine versions 2.8.x through 2.8.10 Ansible Engine versions 2.9.x through 2.9.6 Ansible Tower versions 3.4.5 and earlier Ansible Tower versions 3.5.5 and earlier Ansible Tower version 3.6.3

Description A flaw was found in the Ansible Engine affecting data confidentiality. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind pw in the parameters field when the ldap attr and ldap entry community modules are used. The highest threat from this vulnerability is data confidentiality.

Recommendations For Ansible Engine versions 2.7.x through 2.7.16, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.10, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x through 2.9.6, update to version 2.9.7 or later. For Ansible Tower versions 3.4.5 and earlier, update to a version later than 3.4.5. For Ansible Tower versions 3.5.5 and earlier, update to a version later than 3.5.5. For Ansible Tower version 3.6.3, update to a version later than 3.6.3. As a temporary workaround, consider avoiding the use of the bind pw parameter in playbook tasks until a patch is available. Restrict access to the ldap attr and ldap entry community modules to minimize the risk of exploitation.