CVE-2020-1739
information disclosure vulnerability in ansible (PyPI)
What is CVE-2020-1739 About?
This information disclosure flaw in Ansible versions 2.7.16, 2.8.8, and 2.9.5 and prior, exposes SVN repository passwords. When the `svn` module's 'password' argument is used, it's passed on the command line, making it visible in `procfs` to other users. This allows local attackers to view sensitive credentials, and exploitation is relatively easy for co-located users.
Affected Software
- ansible
- >=2.8.0a1, <2.8.11
- >=2.9.0a1, <2.9.7
- <2.7.17
Technical Details
The vulnerability exists in Ansible versions 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior. Specifically, when the 'password' argument is used with the svn module to set a password, Ansible incorrectly passes this sensitive password directly on the svn command line. On Linux and Unix-like systems, command-line arguments of running processes are typically visible via the /proc/<PID>/cmdline file within procfs. Consequently, any local attacker or unauthorized user on the same node who can read the cmdline file for the Ansible process's PID can trivially extract the SVN password, leading to information disclosure and potential access to the SVN repository.
What is the Impact of CVE-2020-1739?
Successful exploitation may allow attackers to gain unauthorized access to sensitive SVN repository passwords, leading to compromise of version control systems, source code, and other confidential data.
What is the Exploitability of CVE-2020-1739?
Exploitation of this vulnerability is of low complexity. It requires the 'password' argument of the svn module to be in use, and an attacker to have local access to the system running Ansible. No specific authentication to Ansible is needed; instead, the attacker needs local access to the operating system where Ansible is executing. The vulnerability is local, as it involves reading files from procfs. The main precondition is the presence of other users on the same node who can access procfs entries. Risk factors include shared hosting environments or multi-user systems where Ansible is employed to interact with SVN repositories using password authentication.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1739?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- >=2.8.0a1, <2.8.11 → Upgrade to 2.8.11
- ansible
- >=2.9.0a1, <2.9.7 → Upgrade to 2.9.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3
- https://github.com/ansible/ansible
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7
- https://github.com/ansible/ansible/commit/6c74a298702c8bb5532b9600073312e08f39680f
- https://nvd.nist.gov/vuln/detail/CVE-2020-1739
- https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
- https://www.debian.org/security/2021/dsa-4950
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
What are Similar Vulnerabilities to CVE-2020-1739?
Similar Vulnerabilities: CVE-2018-10855 , CVE-2019-14858 , PYSEC-2019-74 , CVE-2020-14332 , CVE-2021-3620
