Command used in subversion module is problematic #67797
Labels
affects_2.10
This issue/PR affects Ansible v2.10
bug
This issue/PR relates to a bug.
module
This issue/PR relates to a module.
security
Related to a vulnerability or CVE
source_control
Source-control category
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
SUMMARY
CVE-2020-1739
The
passwordis used in thesvncommand that is run by thesubversionmodule. The password should be passed in via some other mechanism other than as a parameter to avoid the password being read at/proc/<pid>/cmdlineon the managed node.Problematic code:
ansible/lib/ansible/modules/source_control/subversion.py
Lines 138 to 140 in 79dfae9
ISSUE TYPE
COMPONENT NAME
lib/ansible/modules/source_control/subversion.pyANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
Password is not visible.
ACTUAL RESULTS
Password can be observed at
/proc/<pid>/cmdlineon the managed node.The text was updated successfully, but these errors were encountered: