Use of Insufficiently Random Values

CVE-2020-10729

Medium

5.5/10

Summary

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References

Issue
Pull request
Advisory

Advisory Timeline

Published Dec 21, 2017

Use of Insufficiently Random Values

CVE-2020-10729

Summary

CWE-330 - Use of Insufficiently Random Values

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS