Use of insufficiently random values in Ansible - CVE-2020-10729
Published: August 8, 2021
Vulnerability identifier: #VU55643
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-10729
CWE-ID: CWE-330
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ansible
Ansible
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to usegae of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens.
How to mitigate CVE-2020-10729
Install updates from vendor's website.