Moderate severityNVD Advisory· Published Mar 16, 2020· Updated Aug 4, 2024
CVE-2020-1753
CVE-2020-1753
Description
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.7.0a1, < 2.7.18 | 2.7.18 |
ansiblePyPI | >= 2.8.0a1, < 2.8.12 | 2.8.12 |
ansiblePyPI | >= 2.9.0a1, < 2.9.7 | 2.9.7 |
Affected products
1Patches
3273d8538dbe5document danger of kubectl options (#68195)
1 file changed · +5 −0
lib/ansible/plugins/connection/kubectl.py+5 −0 modified@@ -65,6 +65,7 @@ kubectl_extra_args: description: - Extra arguments to pass to the kubectl command line. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. default: '' vars: - name: ansible_kubectl_extra_args @@ -109,6 +110,8 @@ kubectl_password: description: - Provide a password for authenticating with the API. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. default: '' vars: - name: ansible_kubectl_password @@ -117,6 +120,8 @@ kubectl_token: description: - API authentication bearer token. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. vars: - name: ansible_kubectl_token - name: ansible_kubectl_api_key
04ba05e003b2document danger of kubectl options (#68195)
1 file changed · +5 −0
lib/ansible/plugins/connection/kubectl.py+5 −0 modified@@ -65,6 +65,7 @@ kubectl_extra_args: description: - Extra arguments to pass to the kubectl command line. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. default: '' vars: - name: ansible_kubectl_extra_args @@ -109,6 +110,8 @@ kubectl_password: description: - Provide a password for authenticating with the API. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. default: '' vars: - name: ansible_kubectl_password @@ -117,6 +120,8 @@ kubectl_token: description: - API authentication bearer token. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. vars: - name: ansible_kubectl_token - name: ansible_kubectl_api_key
137caed836efdocument danger of kubectl options (#68195)
1 file changed · +5 −0
lib/ansible/plugins/connection/kubectl.py+5 −0 modified@@ -65,6 +65,7 @@ kubectl_extra_args: description: - Extra arguments to pass to the kubectl command line. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. default: '' vars: - name: ansible_kubectl_extra_args @@ -108,6 +109,8 @@ kubectl_password: description: - Provide a password for authenticating with the API. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. default: '' vars: - name: ansible_kubectl_password @@ -116,6 +119,8 @@ kubectl_token: description: - API authentication bearer token. + - Please be aware that this passes information directly on the command line and it could expose sensitive data. + We recommend using the file based authentication options instead. vars: - name: ansible_kubectl_token - name: ansible_kubectl_api_key
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
17- github.com/advisories/GHSA-86hp-cj9j-33vvghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-1753ghsaADVISORY
- security.gentoo.org/glsa/202006-11ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4950ghsavendor-advisoryx_refsource_DEBIANWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible-collections/kubernetes/pull/51ghsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/commit/04ba05e003b268b83df6c106ba5c0f08548b1380ghsaWEB
- github.com/ansible/ansible/commit/137caed836ef096945086cfe75dc11587b68db3aghsaWEB
- github.com/ansible/ansible/commit/273d8538dbe5a7b5c9954f1929d3bb00904c43f6ghsaWEB
- github.com/ansible/ansible/pull/68195ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-210.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2SghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCBghsaWEB
News mentions
0No linked articles in our index yet.