A flaw was found in ansible. Credentials such as secrets are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.

🗓️ 04 Jun 2021 07:00:00Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 2 Views

Ansible exposes credentials in console logs, not protected by no_log, affecting versions before 2.9.18.

Reporter	Title	Published	Views	Family All 99
Tenable Nessus	Amazon Linux 2 : ansible (ALAS-2021-1613)	19 Mar 202100:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ansible (ALASANSIBLE2-2023-004)	27 Sep 202300:00	–	nessus
Tenable Nessus	Fedora 32 : ansible (2021-9a0903469c)	2 Mar 202100:00	–	nessus
Tenable Nessus	Fedora 33 : ansible (2021-e9478617ae)	2 Mar 202100:00	–	nessus
Tenable Nessus	openSUSE 15 Security Update : ansible (openSUSE-SU-2022:0081-1)	17 Mar 202200:00	–	nessus
Tenable Nessus	RHEL 7 / 8 : Ansible security update (2.9.18) (Moderate) (RHSA-2021:0663)	24 Feb 202100:00	–	nessus
Tenable Nessus	RHEL 7 / 8 : Ansible security update (2.9.18) (Moderate) (RHSA-2021:0664)	24 Feb 202100:00	–	nessus
Tenable Nessus	RHEL 8 : RHV Engine and Host Common Packages security update [ovirt-4.4.6] (Moderate) (RHSA-2021:2180)	1 Jun 202100:00	–	nessus
Tenable Nessus	SUSE SLES15 : Important security update for SUSE Manager Client Tools (SUSE-SU-2022:3178-1)	9 Sep 202200:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2021-20191	7 Aug 202500:00	–	nessus

Vulners

Node

microsoft cm1_ansible_2.9.18-1Range<2.9.18-1

04 Jun 2021 07:00Current

9.5High risk

Vulners AI Score9.5

CVSS 22.1

CVSS 3.15.5

EPSS0.00024

ansible credentials exposed console logs no log protection data confidentiality vulnerability pre 2.9.18