Use of insufficiently random values in Ansible - CVE-2020-10729

 

Use of insufficiently random values in Ansible - CVE-2020-10729

Published: August 8, 2021


Vulnerability identifier: #VU55643
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-10729
CWE-ID: CWE-330
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Red Hat Inc.
Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usegae of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens.


How to mitigate CVE-2020-10729

Install updates from vendor's website.

Sources