CVE-2021-20228

CWE-200 — Information Exposure CWE-522 — Insufficiently Protected Credentials8 documents7 sources

Severity

7.5HIGH

EPSS

0.1%

top 64.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Debian Linux Redhat Ansible Automation Platform Redhat Ansible Engine +1 more

Timeline

PublishedApr 29

Latest updateMay 25

Description

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDredhat/ansible_engine2.0, 2.9, 2.9.18+2

▶PyPIansible2.10.0a1 — 2.10.6rc1+2

▶Debianansible< 2.10.7+merged+base+2.10.8+dfsg-1+3

▶CVEListV5ansibleansible-engine 2.9.18

▶NVDredhat/ansible_tower3.0

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Ansible Exposes Sensitive Information↗2022-05-25

▶

GHSA

Ansible Exposes Sensitive Information↗2022-05-25

▶

OSV

CVE-2021-20228: A flaw was found in the Ansible Engine 2↗2021-04-29

▶

CVEList

CVE-2021-20228: A flaw was found in the Ansible Engine 2↗2021-04-29

▶

📋Vendor Advisories

Microsoft

A flaw was found in the Ansible Engine 2.9.18 where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This fl↗2021-04-13

▶

Red Hat

ansible: basic.py no_log with fallback option↗2021-01-29

▶

Debian

CVE-2021-20228: ansible - A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not maske...↗2021

▶