{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.", "category":"general", "title":"Synopsis" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2020-10729" }, { "summary":"CVE-2020-10729 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2020/csaf-openeuler-cve-2020-10729.json" }, { "summary":"openEuler-SA-2021-1349", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1349" }, { "summary":"CVE-2020-10729", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2020-10729&packageName=ansible" }, { "summary":"openEuler-SA-2022-1950", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1950" } ], "title":"openEuler cve CVE-2020-10729", "tracking":{ "initial_release_date":"2021-09-24T09:22:23+08:00", "revision_history":[ { "date":"2021-09-24T09:22:23+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2022-09-23T09:45:48+08:00", "summary":"Current version", "number":"2.0.0" }, { "date":"2024-10-31T09:22:23+08:00", "summary":"Current version", "number":"3.0.0" }, { "date":"2024-10-31T09:45:48+08:00", "summary":"Current version", "number":"4.0.0" } ], "generator":{ "date":"2024-10-31T09:45:48+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:45:48+08:00", "id":"CVE-2020-10729", "version":"4.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"ansible-2.5.5-2.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"ansible-2.5.5-2.oe1.noarch.rpm" }, "name":"ansible-2.5.5-2.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"ansible-2.5.5-6.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"ansible-2.5.5-6.oe1.noarch.rpm" }, "name":"ansible-2.5.5-6.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"ansible-help-2.5.5-2.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"ansible-help-2.5.5-2.oe1.noarch.rpm" }, "name":"ansible-help-2.5.5-2.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"ansible-help-2.5.5-6.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"ansible-help-2.5.5-6.oe1.noarch.rpm" }, "name":"ansible-help-2.5.5-6.oe1.noarch.rpm", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"ansible-2.5.5-2.oe1.src.rpm(20.03-LTS-SP2)", "name":"ansible-2.5.5-2.oe1.src.rpm" }, "name":"ansible-2.5.5-2.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"ansible-2.5.5-6.oe1.src.rpm(20.03-LTS-SP1)", "name":"ansible-2.5.5-6.oe1.src.rpm" }, "name":"ansible-2.5.5-6.oe1.src.rpm", "category":"product_version" } ], "category":"product_name" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"ansible-help-2.5.5-2.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:ansible-help-2.5.5-2.oe1.noarch", "name":"ansible-help-2.5.5-2.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"ansible-2.5.5-2.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.noarch", "name":"ansible-2.5.5-2.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"ansible-2.5.5-2.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.src", "name":"ansible-2.5.5-2.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"ansible-2.5.5-6.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.noarch", "name":"ansible-2.5.5-6.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"ansible-help-2.5.5-6.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:ansible-help-2.5.5-6.oe1.noarch", "name":"ansible-help-2.5.5-6.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"ansible-2.5.5-6.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.src", "name":"ansible-2.5.5-6.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2020-10729", "notes":[ { "text":"A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP2:ansible-help-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.src", "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-help-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP2:ansible-help-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.src" ], "details":"ansible security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1349" }, { "product_ids":[ "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-help-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.src" ], "details":"ansible security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1950" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.5, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP2:ansible-help-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.noarch", "openEuler-20.03-LTS-SP2:ansible-2.5.5-2.oe1.src", "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-help-2.5.5-6.oe1.noarch", "openEuler-20.03-LTS-SP1:ansible-2.5.5-6.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2020-10729" } ] }