Candidate: CVE-2020-1746
PublicDate: 2020-05-12 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1746
 https://bugzilla.redhat.com/show_bug.cgi?id=1805491
 https://github.com/ansible/ansible/pull/67866
Description:
 A flaw was found in the Ansible Engine affecting Ansible Engine versions
 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well
 as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3
 when the ldap_attr and ldap_entry community modules are used. The issue
 discloses the LDAP bind password to stdout or a log file if a playbook task
 is written using the bind_pw in the parameters field. The highest threat
 from this vulnerability is data confidentiality.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N [5.0 MEDIUM]


Patches_ansible:
upstream_ansible: needs-triage
precise/esm_ansible: DNE
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: needs-triage
xenial_ansible: ignored (end of standard support, was needs-triage)
bionic_ansible: needs-triage
eoan_ansible: ignored (reached end-of-life)
focal_ansible: needs-triage
groovy_ansible: not-affected (2.9.7+dfsg-1)
hirsute_ansible: not-affected (2.9.7+dfsg-1)
impish_ansible: not-affected (2.9.7+dfsg-1)
jammy_ansible: not-affected (2.9.7+dfsg-1)
devel_ansible: not-affected (2.9.7+dfsg-1)