CVE-2020-10782

CWE-200 — Information Exposure CWE-276 — Incorrect Default Permissions CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 88.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Ansible Tower Redhat Ansible Tower

Timeline

PublishedJun 18

Latest updateMay 24

Description

An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages2 packages

▶NVDredhat/ansible_tower3.7.0

▶CVEListV5red_hat/ansible_towerAffected: version 3.7.0, Fixed: version 3.7.1+1

🔴Vulnerability Details

GHSA

GHSA-8g82-ff8g-pqf2: An exposure of sensitive information flaw was found in Ansible Tower before version 3↗2022-05-24

▶

CVEList

CVE-2020-10782: An exposure of sensitive information flaw was found in Ansible version 3↗2020-06-18

▶

📋Vendor Advisories

Red Hat

Tower: rsyslog configuration has world readable permissions↗2020-06-17

▶

💬Community

Bugzilla

CVE-2020-10782 Tower: rsyslog configuration has world readable permissions↗2020-06-17

▶