CVE-2020-25635

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.

CVSS v3 5.0 MEDIUM
CVSS v2.0 2.1 LOW

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.3 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635	Issue Tracking Vendor Advisory
https://github.com/ansible-collections/community.aws/issues/222	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635	Issue Tracking Vendor Advisory
https://github.com/ansible-collections/community.aws/issues/222	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:ansible:2.10.1:rc2:*:*:*:*:*:*

History

21 Nov 2024, 05:18

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 - Issue Tracking, Vendor Advisory~~	() https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 - Issue Tracking, Vendor Advisory
References	~~() https://github.com/ansible-collections/community.aws/issues/222 - Third Party Advisory~~	() https://github.com/ansible-collections/community.aws/issues/222 - Third Party Advisory
CVSS	v2 : ~~2.1~~ v3 : ~~5.5~~	v2 : 2.1 v3 : 5.0

Information

Published : 2020-10-05 14:15

Updated : 2024-11-21 05:18

NVD link : CVE-2020-25635

Mitre link : CVE-2020-25635

CVE.ORG link : CVE-2020-25635

JSON object : View

Products Affected

redhat

ansible

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

{"id": "CVE-2020-25635", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-10-05T14:15:13.217", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible-collections/community.aws/issues/222", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/ansible-collections/community.aws/issues/222", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-212"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-212"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Ansible Base al usar el plugin de conexi\u00f3n aws_ssm, ya que la recolecci\u00f3n de basura no est\u00e1 pasando despu\u00e9s de que el playbook se haya completado. Los archivos permanecer\u00edan en el bucket exponiendo los datos. Este problema afecta directamente a la confidencialidad de los datos"}], "lastModified": "2024-11-21T05:18:17.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:2.10.1:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C88089F-2A0A-4D2E-915B-C58D7402821C"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}