CVE-2020-1753

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x prior to 2.7.17 Ansible Engine versions 2.8.x prior to 2.8.11 Ansible Engine versions 2.9.x prior to 2.9.7

Description A security flaw was found in Ansible Engine when managing Kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from the process list, and the no log directive from the debug module would not have any effect, making these secrets disclosed on stdout and log files.

Recommendations For Ansible Engine versions 2.7.x prior to 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x prior to 2.8.11, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x prior to 2.9.7, update to version 2.9.7 or later. As a temporary workaround, consider restricting access to the k8s module until a patch is available. Avoid using sensitive parameters such as passwords and tokens in the k8s module until the issue is resolved.