Bug 1186493 - VUL-0: CVE-2021-20178: ansible1,ansible: ansible: user data leak in snmp_facts module
VUL-0: CVE-2021-20178: ansible1,ansible: ansible: user data leak in snmp_fact...
Status: RESOLVED DUPLICATE of bug 1180816
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Matej Cepl
Security Team bot
https://smash.suse.de/issue/300620/
CVSSv3.1:SUSE:CVE-2020-20178:5.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-27 09:57 UTC by Marcus Meissner
Modified: 2021-06-04 13:57 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-05-27 09:57:43 UTC
snmp_facts module in Ansible leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1914774
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-20178
https://access.redhat.com/errata/RHSA-2021:0664.html
https://access.redhat.com/errata/RHSA-2021:1079.html
https://access.redhat.com/errata/RHSA-2021:0663.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-20178
Comment 1 Salvatore Bonaccorso 2021-06-01 19:55:44 UTC
Please note that this CVE seems to be very confusing.

CVE-2020-20178 refers to a OpenLDAP issue in the description, but links to an ansible bug in the Red Hat bugzilla. This same on the other hand is CVE-2021-20178.

Note so the difference only in the year part. I guess something went wrong on the submission here. 

I tried to contact MITRE on 25 may on this issue.
Comment 2 Marcus Meissner 2021-06-02 08:15:10 UTC
I think this typo came from Redhat... they typoed the 2020 CVE apparently. 

2020 - openldap2
2021 - ansible
Comment 3 Gianluca Gabrielli 2021-06-04 13:57:34 UTC
This CVE is tracked via 1180816

*** This bug has been marked as a duplicate of bug 1180816 ***