Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202102-9
HistoryFeb 06, 2021 - 12:00 a.m.

[ASA-202102-9] ansible: information disclosure

2021-02-0600:00:00
security.archlinux.org
84

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

Arch Linux Security Advisory ASA-202102-9

Severity: Medium
Date : 2021-02-06
CVE-ID : CVE-2021-20178 CVE-2021-20180 CVE-2021-20191
Package : ansible
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-1437

Summary

The package ansible before version 2.10.7-1 is vulnerable to
information disclosure.

Resolution

Upgrade to 2.10.7-1.

pacman -Syu “ansible>=2.10.7-1”

The problems have been fixed upstream in version 2.10.7.

Workaround

None.

Description

  • CVE-2021-20178 (information disclosure)

A flaw was found in Ansible before version 2.10.6 where the ‘authkey’
and ‘privkey’ credentials are disclosed by default and not protected by
no_log feature when using the snmp_facts module. Attackers could take
advantage of this information to steal the SNMP credentials.

  • CVE-2021-20180 (information disclosure)

A flaw was found in Ansible before version 2.10.6 where credentials
such as secrets are being disclosed in console log by default and not
protected by secured feature when using bitbucket_pipeline_variable
module. An attacker can take advantage of this information to steal
bitbucket_pipeline credentials.

  • CVE-2021-20191 (information disclosure)

A flaw was found in ansible-collection where credentials such as
secrets are being disclosed in console log by default and not protected
by no_log feature when using those modules. An attacker can take
advantage of this information to steal those credentials.

Impact

A local attacker can access sensitive information like credentials and
keys.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1914774
https://github.com/ansible-collections/community.general/pull/1621
https://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d
https://bugzilla.redhat.com/show_bug.cgi?id=1915808
https://github.com/ansible-collections/community.general/pull/1635
https://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5
https://bugzilla.redhat.com/show_bug.cgi?id=1916813
https://github.com/ansible-collections/cisco.nxos/pull/227
https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa
https://security.archlinux.org/CVE-2021-20178
https://security.archlinux.org/CVE-2021-20180
https://security.archlinux.org/CVE-2021-20191

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyansible< 2.10.7-1UNKNOWN

Related

nessus 9
amazon 1
redhat 7
openvas 7
rosalinux 1
fedora 2
mageia 2
photon 1
suse 2
veracode 3
cbl_mariner 2
osv 9
cve 3
redhatcve 3
prion 3
ubuntucve 3
debiancve 3
github 3
alpinelinux 1
ibm 3
debian 1
nessus
nessus
Amazon Linux 2 : ansible (ALAS-2021-1613)
2021-03-19 00:00:00
Fedora 33 : ansible (2021-e9478617ae)
2021-03-02 00:00:00
Amazon Linux 2 : ansible (ALASANSIBLE2-2023-004)
2023-09-27 00:00:00
amazon
amazon
Medium: ansible
2021-03-18 01:13:00
redhat
redhat
(RHSA-2021:0664) Moderate: Ansible security and bug fix update (2.9.18)
2021-02-24 17:27:09
(RHSA-2021:2180) Moderate: RHV Engine and Host Common Packages security update [ovirt-4.4.6]
2021-06-01 11:44:42
(RHSA-2021:0663) Moderate: Ansible security and bug fix update (2.9.18)
2021-02-24 17:26:48
openvas
openvas
Fedora: Security Advisory for ansible (FEDORA-2021-e9478617ae)
2021-03-02 00:00:00
Fedora: Security Advisory for ansible (FEDORA-2021-9a0903469c)
2021-03-02 00:00:00
Mageia: Security Advisory (MGASA-2021-0132)
2022-01-28 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2024-2334
2024-01-30 08:40:29
fedora
fedora
[SECURITY] Fedora 32 Update: ansible-2.9.18-1.fc32
2021-03-01 17:06:17
[SECURITY] Fedora 33 Update: ansible-2.9.18-1.fc33
2021-03-01 17:02:27
mageia
mageia
Updated ansible packages fix security vulnerability
2021-03-12 04:25:47
Updated ansible packages fix security vulnerability
2021-03-12 04:25:47
photon
photon
Critical Photon OS Security Update - PHSA-2022-0528
2022-10-18 00:00:00
suse
suse
Important for SUSE Manager Client Tools (important)
2022-09-08 00:00:00
Security update for ansible (important)
2022-03-16 00:00:00
veracode
veracode
Information Disclosure
2021-02-25 06:28:44
Information Disclosure
2021-02-25 06:28:49
Information Disclosure
2021-02-25 06:28:38
cbl_mariner
cbl_mariner
CVE-2021-20191 affecting package ansible 2.9.12-1
2021-07-08 21:56:43
CVE-2021-20178 affecting package ansible 2.9.12-1
2021-07-08 21:56:43
osv
osv
Insertion of Sensitive Information into Log File in ansible
2021-06-01 21:53:29
Insertion of Sensitive Information into Log File in ansible
2021-06-01 21:38:33
PYSEC-2021-124
2021-05-26 21:15:00
cve
cve
CVE-2021-20178
2021-05-26 12:15:00
CVE-2021-20191
2021-05-26 21:15:00
CVE-2021-20180
2022-03-16 15:15:00
redhatcve
redhatcve
CVE-2021-20178
2021-01-11 18:15:53
CVE-2021-20191
2021-01-15 16:17:48
CVE-2021-20180
2021-01-13 14:19:20
prion
prion
Design/Logic Flaw
2021-05-26 21:15:00
Security feature bypass
2022-03-16 15:15:00
Security feature bypass
2021-05-26 12:15:00
ubuntucve
ubuntucve
CVE-2021-20191
2021-05-26 00:00:00
CVE-2021-20178
2021-05-26 00:00:00
CVE-2021-20180
2022-03-16 00:00:00
debiancve
debiancve
CVE-2021-20191
2021-05-26 21:15:00
CVE-2021-20180
2022-03-16 15:15:00
CVE-2021-20178
2021-05-26 12:15:00
github
github
Insertion of Sensitive Information into Log File in ansible
2022-03-17 00:00:44
Insertion of Sensitive Information into Log File in ansible
2021-06-01 21:38:33
Insertion of Sensitive Information into Log File in ansible
2021-06-01 21:53:29
alpinelinux
alpinelinux
CVE-2021-20191
2021-05-26 21:15:00
ibm
ibm
Security Bulletin: Vulnerability in Ansible bundled with IBM Spectrum Fusion HCI
2022-09-29 22:36:09
Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities
2022-08-23 22:32:13
Security Bulletin: Multiple Vulnerabilities in Multicloud Management Security Services
2023-02-16 18:43:50
debian
debian
[SECURITY] [DLA 3695-1] ansible security update
2023-12-28 17:44:01

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON
Related for ASA-202102-9
nessus9amazon1redhat7openvas7rosalinux1fedora2mageia2photon1suse2veracode3cbl_mariner2osv9cve3redhatcve3prion3ubuntucve3debiancve3github3alpinelinux1ibm3debian1