CVE-2020-10729

MEDIUM

Ansible Engine < 2.9.6 - Use of Insufficiently Random Values in Password Lookup

Title source: llm
STIX 2.1

Description

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

References (3)

Core 3
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1831089
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/ansible/ansible/issues/34144
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4950

Scores

CVSS v3 5.5
EPSS 0.0043
EPSS Percentile 34.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-330
Status published
Products (3)
debian/debian_linux 10.0
pypi/ansible 0 - 2.9.6PyPI
redhat/ansible_engine < 2.9.6
Published May 27, 2021
Tracked Since Feb 18, 2026