Skip to content

Command used in subversion module is problematic #67797

Closed
@samdoran

Description

@samdoran
SUMMARY

CVE-2020-1739

The password is used in the svn command that is run by the subversion module. The password should be passed in via some other mechanism other than as a parameter to avoid the password being read at /proc/<pid>/cmdline on the managed node.

Problematic code:

bits.extend(["--password", self.password])
bits.extend(args)
rc, out, err = self.module.run_command(bits, check_rc)

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/modules/source_control/subversion.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
- subversion:
    repo: svn+ssh://an.example.org/path/to/repo
    dest: /src/checkout
    checkout: no
    update: no
    password: "{{ vault_svn_pass }}"
EXPECTED RESULTS

Password is not visible.

ACTUAL RESULTS

Password can be observed at /proc/<pid>/cmdline on the managed node.

Metadata

Metadata

Assignees

Labels

affects_2.10This issue/PR affects Ansible v2.10bugThis issue/PR relates to a bug.moduleThis issue/PR relates to a module.securityRelated to a vulnerability or CVEsource_controlSource-control categorysupport:coreThis issue/PR relates to code supported by the Ansible Engineering Team.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions