Arch Linux alert ASA-202102-9 (ansible)
| From: | Remi Gacogne via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202102-9] ansible: information disclosure | |
| Date: | Fri, 12 Feb 2021 08:04:19 +0100 | |
| Message-ID: | <4626d7e8-858c-7fd7-f69c-384b42ef42d2@archlinux.org> | |
| Cc: | Remi Gacogne <rgacogne@archlinux.org> |
Arch Linux Security Advisory ASA-202102-9 ========================================= Severity: Medium Date : 2021-02-06 CVE-ID : CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 Package : ansible Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1437 Summary ======= The package ansible before version 2.10.7-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.10.7-1. # pacman -Syu "ansible>=2.10.7-1" The problems have been fixed upstream in version 2.10.7. Workaround ========== None. Description =========== - CVE-2021-20178 (information disclosure) A flaw was found in Ansible before version 2.10.6 where the 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. - CVE-2021-20180 (information disclosure) A flaw was found in Ansible before version 2.10.6 where credentials such as secrets are being disclosed in console log by default and not protected by secured feature when using bitbucket_pipeline_variable module. An attacker can take advantage of this information to steal bitbucket_pipeline credentials. - CVE-2021-20191 (information disclosure) A flaw was found in ansible-collection where credentials such as secrets are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. Impact ====== A local attacker can access sensitive information like credentials and keys. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1914774 https://github.com/ansible-collections/community.general/... https://github.com/ansible-collections/community.general/... https://bugzilla.redhat.com/show_bug.cgi?id=1915808 https://github.com/ansible-collections/community.general/... https://github.com/ansible-collections/community.general/... https://bugzilla.redhat.com/show_bug.cgi?id=1916813 https://github.com/ansible-collections/cisco.nxos/pull/227 https://github.com/ansible-collections/cisco.nxos/commit/... https://security.archlinux.org/CVE-2021-20178 https://security.archlinux.org/CVE-2021-20180 https://security.archlinux.org/CVE-2021-20191