Credential Exposure Affecting ansible package, versions [2.7.0, 2.7.17) [2.8.0 , 2.8.11) [2.9.0, 2.9.7)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ANSIBLE-568827
- published 11 May 2020
- disclosed 11 May 2020
- credit Unknown
Introduced: 11 May 2020
CVE-2020-10685 Open this link in a new tabHow to fix?
Upgrade ansible
to version 2.7.17, 2.8.11, 2.9.7 or higher.
Overview
ansible is a simple IT automation system.
Affected versions of this package are vulnerable to Credential Exposure. When using modules which decrypt vault files such as assemble
, script
, unarchive
, win_copy
, aws_s3
or copy
modules. The temporary directory is created in /tmp
leaves the secrets unencrypted. On Operating Systems in which /tmp
is not a tmpfs
but part of the root partition, the directory is only cleared on boot and the decryp
remains when the host is switched off. The system will be vulnerable when the system is not running.