Lucene search

K

GitHub Advisory DatabaseGHSA-4R65-35QQ-CH8J

HistoryMar 04, 2022 - 12:00 a.m.

Ansible discloses sensitive information in traceback error message

2022-03-0400:00:17

CWE-209

GitHub Advisory Database

github.com

12

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.3%

Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine’s ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from set_options. The highest threat from this vulnerability is confidentiality.

CPENameOperatorVersion
ansiblelt2.9.27

References

access.redhat.com/errata/RHSA-2021:3871

access.redhat.com/errata/RHSA-2021:3872

access.redhat.com/errata/RHSA-2021:3874

access.redhat.com/errata/RHSA-2021:4703

access.redhat.com/errata/RHSA-2021:4750

access.redhat.com/security/cve/CVE-2021-3620

bugzilla.redhat.com/show_bug.cgi?id=1975767

github.com/advisories/GHSA-4r65-35qq-ch8j

github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes

github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0

github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2022-164.yaml

lists.debian.org/debian-lts-announce/2023/12/msg00018.html

nvd.nist.gov/vuln/detail/CVE-2021-3620

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

2.1 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

14.3%

Related for GHSA-4R65-35QQ-CH8J

nessus9 osv3 fedora3 freebsd1 prion1 redhat7 mageia1 openvas8 veracode1 cbl_mariner1 ubuntucve1 debiancve1 ibm2 cve1 redhatcve1 ubuntu1 suse1 debian1