CVE-2020-1739
Exposure of Sensitive Information to an Unauthorized Actor in Ansible
3.9
LOW
CVSS 3.1
EPSS 0.05%
Description
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.
How to fix CVE-2020-1739
To remediate CVE-2020-1739, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.9-r0 or later
- —upgrade to 2.9.7-r0 or later
- —upgrade to 2.9.7+dfsg-1 or later
- —upgrade to 2.7.17 or later
- —upgrade to 2.7.17 or later
Is CVE-2020-1739 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 2.8.9-r0
- from 0, < 2.9.7-r0
- from 0, < 2.9.7+dfsg-1
- from 0, < 2.7.17
- from 0, < 2.7.17, >= 2.8.0, < 2.8.9, >= 2.9.0, < 2.9.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW3.9 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |