GitHub Advisory DatabaseGHSA-FH5V-5F35-2RV2Insertion of Sensitive Information into Log File in ansible
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.7%
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
References
bugzilla.redhat.com/show_bug.cgi?id=1915808
github.com/advisories/GHSA-fh5v-5f35-2rv2
github.com/ansible/ansible/blob/v2.8.19/changelogs/CHANGELOG-v2.8.rst
github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst
github.com/ansible/ansible/pull/73242
github.com/ansible/ansible/pull/73243
github.com/ansible/ansible/tree/v2.7.18/lib/ansible/modules/source_control
github.com/ansible/ansible/tree/v2.8.0a1/lib/ansible/modules/source_control
nvd.nist.gov/vuln/detail/CVE-2021-20180
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
11.7%