Moderate severityNVD Advisory· Published May 12, 2020· Updated Aug 4, 2024
CVE-2020-1746
CVE-2020-1746
Description
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.8.0a1, < 2.8.11 | 2.8.11 |
ansiblePyPI | >= 2.9.0a1, < 2.9.7 | 2.9.7 |
ansiblePyPI | >= 2.7.0a1, < 2.7.17 | 2.7.17 |
Affected products
1Patches
3edd1e1723cc9[2.7] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry (#68716)
5 files changed · +82 −23
changelogs/fragments/ldap-params-removal.yml+8 −0 added@@ -0,0 +1,8 @@ +removed_features: + - "ldap_attr, ldap_entry - The ``params`` option has been removed in + Ansible-2.10 as it circumvents Ansible's option handling. Setting + ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, + and 2.9 as it was insecure. For information about this policy, see the +discussion at: + https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html + This fixes CVE-2020-1746"
docs/docsite/rst/porting_guides/porting_guide_2.7.rst+14 −0 modified@@ -103,6 +103,15 @@ hashing algorithm being used with this filter. Deprecated ========== +Expedited Deprecation: Removal of the params module option in ``ldap_attr`` and ``ldap_entry`` +---------------------------------------------------------------------------------------------- + +The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle (to +be removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In particular, +if the ``bind_pw`` option is set with ``params``, the value of the option could end up being placed +in a logfile or displayed on stdout. + + Expedited Deprecation: Use of ``__file__`` in ``AnsibleModule`` --------------------------------------------------------------- @@ -192,6 +201,11 @@ The following modules will be removed in Ansible 2.11. Please update your playbo Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value + could have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the + modules' options instead. + * Check mode is now supported in the ``command`` and ``shell`` modules. However, only when ``creates`` or ``removes`` is specified. If either of these are specified, the module will check for existence of the file and report the correct changed status, if they are not included the module will skip like it had done previously.
lib/ansible/modules/net_tools/ldap/ldap_attr.py+29 −6 modified@@ -38,6 +38,9 @@ rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct. + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -131,13 +134,15 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an unneeded attribute ldap_attr: dn: uid=jdoe,ou=people,dc=example,dc=com name: shadowExpire values: [] state: exact - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" """ @@ -150,6 +155,7 @@ """ import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule from ansible.module_utils._text import to_native, to_bytes @@ -249,11 +255,28 @@ def main(): module.fail_json( msg="Missing required 'ldap' module (pip install python-ldap)") - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - module.params.update(module.params['params']) - # Remove the params - module.params.pop('params', None) + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") # Instantiate the LdapAttr object ldap = LdapAttr(module)
lib/ansible/modules/net_tools/ldap/ldap_entry.py+30 −17 modified@@ -32,6 +32,9 @@ rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in I(bind_dn) and I(bind_pw). + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -48,11 +51,6 @@ - If I(state=present), value or list of values to use when creating the entry. It can either be a string or an actual list of strings. - params: - description: - - List of options which allows to overwrite any of the task or the - I(attributes) options. To remove an option, set the value of the option - to C(null). state: description: - The target state of the entry. @@ -94,11 +92,13 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an old entry ldap_entry: dn: ou=stuff,dc=example,dc=com state: absent - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" """ @@ -107,6 +107,7 @@ """ import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six import string_types @@ -202,6 +203,29 @@ def main(): module.fail_json( msg="Missing required 'ldap' module (pip install python-ldap).") + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") + state = module.params['state'] # Check if objectClass is present when needed @@ -215,17 +239,6 @@ def main(): isinstance(module.params['objectClass'], list))): module.fail_json(msg="objectClass must be either a string or a list.") - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - for key, val in module.params['params'].items(): - if key in module.argument_spec: - module.params[key] = val - else: - module.params['attributes'][key] = val - - # Remove the params - module.params.pop('params', None) - # Instantiate the LdapEntry object ldap = LdapEntry(module)
test/sanity/validate-modules/ignore.txt+1 −0 modified@@ -631,6 +631,7 @@ lib/ansible/modules/net_tools/infinity/infinity.py E326 lib/ansible/modules/net_tools/ipify_facts.py E324 lib/ansible/modules/net_tools/ipify_facts.py E325 lib/ansible/modules/net_tools/ldap/ldap_attr.py E322 +lib/ansible/modules/net_tools/ldap/ldap_entry.py E322 lib/ansible/modules/net_tools/nmcli.py E324 lib/ansible/modules/net_tools/omapi_host.py E317 lib/ansible/modules/net_tools/omapi_host.py E322
e6199d768c1c[2.8] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry (#68715)
6 files changed · +92 −27
changelogs/fragments/ldap-params-removal.yml+8 −0 added@@ -0,0 +1,8 @@ +removed_features: + - "ldap_attr, ldap_entry - The ``params`` option has been removed in + Ansible-2.10 as it circumvents Ansible's option handling. Setting + ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, + and 2.9 as it was insecure. For information about this policy, see the +discussion at: + https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html + This fixes CVE-2020-1746"
docs/docsite/rst/porting_guides/porting_guide_2.7.rst+14 −0 modified@@ -103,6 +103,15 @@ hashing algorithm being used with this filter. Deprecated ========== +Expedited Deprecation: Removal of the params module option in ``ldap_attr`` and ``ldap_entry`` +---------------------------------------------------------------------------------------------- + +The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle (to +be removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In particular, +if the ``bind_pw`` option is set with ``params``, the value of the option could end up being placed +in a logfile or displayed on stdout. + + Expedited Deprecation: Use of ``__file__`` in ``AnsibleModule`` --------------------------------------------------------------- @@ -192,6 +201,11 @@ The following modules will be removed in Ansible 2.11. Please update your playbo Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value + could have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the + modules' options instead. + * Check mode is now supported in the ``command`` and ``shell`` modules. However, only when ``creates`` or ``removes`` is specified. If either of these are specified, the module will check for existence of the file and report the correct changed status, if they are not included the module will skip like it had done previously.
docs/docsite/rst/porting_guides/porting_guide_2.8.rst+9 −0 modified@@ -321,6 +321,11 @@ By default in Ansible 2.7, or with ``AGNOSTIC_BECOME_PROMPT=False`` in Ansible 2 Deprecated ========== +* The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle + (to be removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In + particular, if the ``bind_pw`` option is set with ``params``, the value of the option could end up + being placed in a logfile or displayed on stdout. + * Setting the async directory using ``ANSIBLE_ASYNC_DIR`` as an task/play environment key is deprecated and will be removed in Ansible 2.12. You can achieve the same result by setting ``ansible_async_dir`` as a variable like:: @@ -403,6 +408,10 @@ The following modules will be removed in Ansible 2.12. Please update your playbo Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value + could have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the + modules' options instead. * The ``foreman`` and ``katello`` modules have been deprecated in favor of a set of modules that are broken out per entity with better idempotency in mind. * The ``foreman`` and ``katello`` modules replacement is officially part of the Foreman Community and supported there. * The ``tower_credential`` module originally required the ``ssh_key_data`` to be the path to a ssh_key_file.
lib/ansible/modules/net_tools/ldap/ldap_attr.py+29 −10 modified@@ -35,6 +35,9 @@ rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct. + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -62,10 +65,6 @@ a list of strings (see examples). type: raw required: true - params: - description: - - Additional module parameters. - type: dict extends_documentation_fragment: - ldap.documentation ''' @@ -133,13 +132,15 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an unneeded attribute ldap_attr: dn: uid=jdoe,ou=people,dc=example,dc=com name: shadowExpire values: [] state: exact - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" ''' RETURN = r''' @@ -151,6 +152,7 @@ ''' import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils._text import to_native, to_bytes @@ -250,11 +252,28 @@ def main(): module.fail_json(msg=missing_required_lib('python-ldap'), exception=LDAP_IMP_ERR) - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - module.params.update(module.params['params']) - # Remove the params - module.params.pop('params', None) + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") # Instantiate the LdapAttr object ldap = LdapAttr(module)
lib/ansible/modules/net_tools/ldap/ldap_entry.py+30 −17 modified@@ -32,6 +32,9 @@ rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in I(bind_dn) and I(bind_pw). + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -48,11 +51,6 @@ - If I(state=present), value or list of values to use when creating the entry. It can either be a string or an actual list of strings. - params: - description: - - List of options which allows to overwrite any of the task or the - I(attributes) options. To remove an option, set the value of the option - to C(null). state: description: - The target state of the entry. @@ -94,11 +92,13 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an old entry ldap_entry: dn: ou=stuff,dc=example,dc=com state: absent - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" """ @@ -107,6 +107,7 @@ """ import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils.six import string_types @@ -204,6 +205,29 @@ def main(): module.fail_json(msg=missing_required_lib('python-ldap'), exception=LDAP_IMP_ERR) + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") + state = module.params['state'] # Check if objectClass is present when needed @@ -217,17 +241,6 @@ def main(): isinstance(module.params['objectClass'], list))): module.fail_json(msg="objectClass must be either a string or a list.") - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - for key, val in module.params['params'].items(): - if key in module.argument_spec: - module.params[key] = val - else: - module.params['attributes'][key] = val - - # Remove the params - module.params.pop('params', None) - # Instantiate the LdapEntry object ldap = LdapEntry(module)
test/sanity/validate-modules/ignore.txt+2 −0 modified@@ -417,6 +417,8 @@ lib/ansible/modules/monitoring/sensu_handler.py E326 lib/ansible/modules/monitoring/zabbix/zabbix_maintenance.py E317 lib/ansible/modules/net_tools/basics/uri.py E323 lib/ansible/modules/net_tools/basics/uri.py E326 +lib/ansible/modules/net_tools/ldap/ldap_attr.py E322 +lib/ansible/modules/net_tools/ldap/ldap_entry.py E322 lib/ansible/modules/network/a10/a10_server_axapi3.py E326 lib/ansible/modules/network/a10/a10_virtual_server.py E324 lib/ansible/modules/network/aci/aci_epg_to_domain.py E325
d41e38435b1a[2.9] CVE-2020-1746 - Remove the params module option from ldap_attr and ldap_entry (#68714)
7 files changed · +102 −30
changelogs/fragments/ldap-params-removal.yml+8 −0 added@@ -0,0 +1,8 @@ +removed_features: + - "ldap_attr, ldap_entry - The ``params`` option has been removed in + Ansible-2.10 as it circumvents Ansible's option handling. Setting + ``bind_pw`` with the ``params`` option was disallowed in Ansible-2.7, 2.8, + and 2.9 as it was insecure. For information about this policy, see the +discussion at: + https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html + This fixes CVE-2020-1746"
docs/docsite/rst/porting_guides/porting_guide_2.7.rst+14 −0 modified@@ -103,6 +103,15 @@ hashing algorithm being used with this filter. Deprecated ========== +Expedited Deprecation: Removal of the params module option in ``ldap_attr`` and ``ldap_entry`` +---------------------------------------------------------------------------------------------- + +The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle (to +be removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In particular, +if the ``bind_pw`` option is set with ``params``, the value of the option could end up being placed +in a logfile or displayed on stdout. + + Expedited Deprecation: Use of ``__file__`` in ``AnsibleModule`` --------------------------------------------------------------- @@ -192,6 +201,11 @@ The following modules will be removed in Ansible 2.11. Please update your playbo Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value + could have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the + modules' options instead. + * Check mode is now supported in the ``command`` and ``shell`` modules. However, only when ``creates`` or ``removes`` is specified. If either of these are specified, the module will check for existence of the file and report the correct changed status, if they are not included the module will skip like it had done previously.
docs/docsite/rst/porting_guides/porting_guide_2.8.rst+9 −0 modified@@ -324,6 +324,11 @@ By default in Ansible 2.7, or with ``AGNOSTIC_BECOME_PROMPT=False`` in Ansible 2 Deprecated ========== +* The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle + (to be removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In + particular, if the ``bind_pw`` option is set with ``params``, the value of the option could end up + being placed in a logfile or displayed on stdout. + * Setting the async directory using ``ANSIBLE_ASYNC_DIR`` as an task/play environment key is deprecated and will be removed in Ansible 2.12. You can achieve the same result by setting ``ansible_async_dir`` as a variable like:: @@ -406,6 +411,10 @@ The following modules will be removed in Ansible 2.12. Please update your playbo Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value + could have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the + modules' options instead. * The ``foreman`` and ``katello`` modules have been deprecated in favor of a set of modules that are broken out per entity with better idempotency in mind. * The ``foreman`` and ``katello`` modules replacement is officially part of the Foreman Community and supported there. * The ``tower_credential`` module originally required the ``ssh_key_data`` to be the path to a ssh_key_file.
docs/docsite/rst/porting_guides/porting_guide_2.9.rst+8 −1 modified@@ -42,7 +42,10 @@ Command Line Deprecated ========== -No notable changes +- The ``params`` module option in ``ldap_attr`` and ``ldap_entry`` are deprecated on a short cycle (to be + removed in Ansible-2.10) due to circumventing Ansible's normal option handling. In particular, if + the ``bind_pw`` option is set with ``params``, the value of the option could end up being placed in + a logfile or displayed on stdout. Collection loader changes @@ -691,6 +694,10 @@ be removed in Ansible 2.13. Please update update your playbooks accordingly. Noteworthy module changes ------------------------- +* **Security Issue** Setting ``bind_pw`` with the ``params`` option for the ``ldap_entry`` and + ``ldap_attr`` modules has been disallowed. If ``bind_pw`` was set with ``params``, the value could + have ended up in a logfile or displayed on stdout. Set ``bind_pw`` directly, with the modules' + options instead. * :ref:`vmware_cluster <vmware_cluster_module>` was refactored for easier maintenance/bugfixes. Use the three new, specialized modules to configure clusters. Configure DRS with :ref:`vmware_cluster_drs <vmware_cluster_drs_module>`, HA with :ref:`vmware_cluster_ha <vmware_cluster_ha_module>` and vSAN with :ref:`vmware_cluster_vsan <vmware_cluster_vsan_module>`. * :ref:`vmware_dvswitch <vmware_dvswitch_module>` accepts ``folder`` parameter to place dvswitch in user defined folder. This option makes ``datacenter`` as an optional parameter. * :ref:`vmware_datastore_cluster <vmware_datastore_cluster_module>` accepts ``folder`` parameter to place datastore cluster in user defined folder. This option makes ``datacenter`` as an optional parameter.
lib/ansible/modules/net_tools/ldap/ldap_attr.py+29 −10 modified@@ -35,6 +35,9 @@ rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct. + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -62,10 +65,6 @@ a list of strings (see examples). type: raw required: true - params: - description: - - Additional module parameters. - type: dict extends_documentation_fragment: - ldap.documentation ''' @@ -133,13 +132,15 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an unneeded attribute ldap_attr: dn: uid=jdoe,ou=people,dc=example,dc=com name: shadowExpire values: [] state: exact - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" ''' RETURN = r''' @@ -151,6 +152,7 @@ ''' import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils._text import to_native, to_bytes @@ -250,11 +252,28 @@ def main(): module.fail_json(msg=missing_required_lib('python-ldap'), exception=LDAP_IMP_ERR) - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - module.params.update(module.params['params']) - # Remove the params - module.params.pop('params', None) + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") # Instantiate the LdapAttr object ldap = LdapAttr(module)
lib/ansible/modules/net_tools/ldap/ldap_entry.py+30 −17 modified@@ -32,6 +32,9 @@ rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in I(bind_dn) and I(bind_pw). + - "The I(params) parameter is deprecated in Ansible-2.7 due to circumventing Ansible's parameter + handling. The I(params) parameter started disallowing setting the I(bind_pw) parameter in Ansible-2.7 + as it was insecure to set the parameter that way." version_added: '2.3' author: - Jiri Tyr (@jtyr) @@ -48,11 +51,6 @@ - If I(state=present), value or list of values to use when creating the entry. It can either be a string or an actual list of strings. - params: - description: - - List of options which allows to overwrite any of the task or the - I(attributes) options. To remove an option, set the value of the option - to C(null). state: description: - The target state of the entry. @@ -94,11 +92,13 @@ # server_uri: ldap://localhost/ # bind_dn: cn=admin,dc=example,dc=com # bind_pw: password +# +# In the example below, 'args' is a task keyword, passed at the same level as the module - name: Get rid of an old entry ldap_entry: dn: ou=stuff,dc=example,dc=com state: absent - params: "{{ ldap_auth }}" + args: "{{ ldap_auth }}" """ @@ -107,6 +107,7 @@ """ import traceback +from distutils.version import LooseVersion from ansible.module_utils.basic import AnsibleModule, missing_required_lib from ansible.module_utils.six import string_types @@ -204,6 +205,29 @@ def main(): module.fail_json(msg=missing_required_lib('python-ldap'), exception=LDAP_IMP_ERR) + # For Ansible-2.9.x and below, allow the params module parameter with a warning + if LooseVersion(module.ansible_version) < LooseVersion('2.10'): + if module.params['params']: + module.deprecate("The `params` option to ldap_attr will be removed in Ansible 2.10" + " since it circumvents Ansible's option handling", version='2.10') + + # However, the bind_pw parameter contains a password so it **must** go through the normal + # argument parsing even though removing it breaks backwards compat. + if 'bind_pw' in module.params['params']: + module.fail_json(msg="Using `bind_pw` with the `params` option has been disallowed since" + " it is insecure. Use the `bind_pw` option directly. The `params`" + " option will be removed in Ansible-2.10") + + # Update module parameters with user's parameters if defined + module.params.update(module.params['params']) + # Remove params itself + module.params.pop('params', None) + else: + # For Ansible 2.10 and above + if module.params['params']: + module.fail_json(msg="The `params` option to ldap_attr was removed in Ansible-2.10 since" + " it circumvents Ansible's option handling") + state = module.params['state'] # Check if objectClass is present when needed @@ -217,17 +241,6 @@ def main(): isinstance(module.params['objectClass'], list))): module.fail_json(msg="objectClass must be either a string or a list.") - # Update module parameters with user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - for key, val in module.params['params'].items(): - if key in module.argument_spec: - module.params[key] = val - else: - module.params['attributes'][key] = val - - # Remove the params - module.params.pop('params', None) - # Instantiate the LdapEntry object ldap = LdapEntry(module)
test/sanity/ignore.txt+4 −2 modified@@ -2407,9 +2407,11 @@ lib/ansible/modules/net_tools/dnsmadeeasy.py validate-modules:doc-missing-type lib/ansible/modules/net_tools/ip_netns.py validate-modules:doc-missing-type lib/ansible/modules/net_tools/ipinfoio_facts.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/net_tools/ipinfoio_facts.py validate-modules:doc-missing-type -lib/ansible/modules/net_tools/ldap/ldap_attr.py validate-modules:parameter-type-not-in-doc -lib/ansible/modules/net_tools/ldap/ldap_entry.py validate-modules:parameter-type-not-in-doc +lib/ansible/modules/net_tools/ldap/ldap_attr.py validate-modules:parameter-type-not-in-doc # This triggers when a parameter is undocumented +lib/ansible/modules/net_tools/ldap/ldap_attr.py validate-modules:undocumented-parameter # Parameter removed but reason for removal is shown by custom code lib/ansible/modules/net_tools/ldap/ldap_entry.py validate-modules:doc-missing-type +lib/ansible/modules/net_tools/ldap/ldap_entry.py validate-modules:parameter-type-not-in-doc # This triggers when a parameter is undocumented +lib/ansible/modules/net_tools/ldap/ldap_entry.py validate-modules:undocumented-parameter # Parameter removed but reason for removal is shown by custom code lib/ansible/modules/net_tools/ldap/ldap_passwd.py validate-modules:doc-missing-type lib/ansible/modules/net_tools/netbox/netbox_device.py validate-modules:parameter-type-not-in-doc lib/ansible/modules/net_tools/netbox/netbox_device.py validate-modules:doc-missing-type
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-j2h6-73x8-22c4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-1746ghsaADVISORY
- www.debian.org/security/2021/dsa-4950ghsavendor-advisoryx_refsource_DEBIANWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/commit/d41e38435b1a9e300d8011ac28f16a5add2db119ghsaWEB
- github.com/ansible/ansible/commit/e6199d768c1c18a4e750ec78d4ded088629baa3fghsaWEB
- github.com/ansible/ansible/commit/edd1e1723cc937ec9251adf38c1199a00b0bf6d4ghsaWEB
- github.com/ansible/ansible/pull/67866ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-13.yamlghsaWEB
News mentions
0No linked articles in our index yet.