Lucene search

K
archlinux
ArchLinuxASA-202102-9
HistoryFeb 06, 2021 - 12:00 a.m.

[ASA-202102-9] ansible: information disclosure

2021-02-0600:00:00
security.archlinux.org
82

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

14.3%

Arch Linux Security Advisory ASA-202102-9

Severity: Medium
Date : 2021-02-06
CVE-ID : CVE-2021-20178 CVE-2021-20180 CVE-2021-20191
Package : ansible
Type : information disclosure
Remote : No
Link : https://security.archlinux.org/AVG-1437

Summary

The package ansible before version 2.10.7-1 is vulnerable to
information disclosure.

Resolution

Upgrade to 2.10.7-1.

pacman -Syu “ansible>=2.10.7-1”

The problems have been fixed upstream in version 2.10.7.

Workaround

None.

Description

  • CVE-2021-20178 (information disclosure)

A flaw was found in Ansible before version 2.10.6 where the ‘authkey’
and ‘privkey’ credentials are disclosed by default and not protected by
no_log feature when using the snmp_facts module. Attackers could take
advantage of this information to steal the SNMP credentials.

  • CVE-2021-20180 (information disclosure)

A flaw was found in Ansible before version 2.10.6 where credentials
such as secrets are being disclosed in console log by default and not
protected by secured feature when using bitbucket_pipeline_variable
module. An attacker can take advantage of this information to steal
bitbucket_pipeline credentials.

  • CVE-2021-20191 (information disclosure)

A flaw was found in ansible-collection where credentials such as
secrets are being disclosed in console log by default and not protected
by no_log feature when using those modules. An attacker can take
advantage of this information to steal those credentials.

Impact

A local attacker can access sensitive information like credentials and
keys.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1914774
https://github.com/ansible-collections/community.general/pull/1621
https://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d
https://bugzilla.redhat.com/show_bug.cgi?id=1915808
https://github.com/ansible-collections/community.general/pull/1635
https://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5
https://bugzilla.redhat.com/show_bug.cgi?id=1916813
https://github.com/ansible-collections/cisco.nxos/pull/227
https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa
https://security.archlinux.org/CVE-2021-20178
https://security.archlinux.org/CVE-2021-20180
https://security.archlinux.org/CVE-2021-20191

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyansible< 2.10.7-1UNKNOWN
How to protect your server from attacks?

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0005 Low

EPSS

Percentile

14.3%

Related for ASA-202102-9