CVE-2021-20178

CWE-532Log File Information Exposure8 documents7 sources
Severity
5.5MEDIUM
EPSS
0.0%
top 86.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat AnsibleFedoraproject FedoraRedhat Ansible Tower
Timeline
PublishedMay 26
Latest updateJun 1

Description

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

PyPIansible< 2.9.18
NVDredhat/ansible< 2.9.18
Debianansible< 2.10.7-1+3
CVEListV5ansiblebefore 2.9.18

Also affects: Fedora 32, 33

🔴Vulnerability Details

4
OSV
Insertion of Sensitive Information into Log File in ansible2021-06-01
GHSA
Insertion of Sensitive Information into Log File in ansible2021-06-01
CVEList
CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using2021-05-26
OSV
CVE-2021-20178: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using2021-05-26

📋Vendor Advisories

3
Microsoft
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw 2021-05-11
Red Hat
ansible: user data leak in snmp_facts module2021-01-11
Debian
CVE-2021-20178: ansible - A flaw was found in ansible module where credentials are disclosed in the consol...2021