Homepage
About Snyk

Credential Exposure Affecting ansible package, versions [2.7.0, 2.7.17) [2.8.0 , 2.8.11) [2.9.0, 2.9.7)

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.05% (14th percentile)
Expand this section
NVD
5.5 medium
Expand this section
Red Hat
5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-ANSIBLE-568827
  • published 11 May 2020
  • disclosed 11 May 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 11 May 2020

CVE-2020-10685 Open this link in a new tab
CWE-522 Open this link in a new tab

How to fix?

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

Overview

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Credential Exposure. When using modules which decrypt vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted. On Operating Systems in which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp remains when the host is switched off. The system will be vulnerable when the system is not running.