CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.

CVSS v3.0 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1916813	Issue Tracking Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:virtualization:4.0:::::::*
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible_tower:3.0:::::::*
	cpe:2.3:a:redhat:cisco_nx-os_collection::::::::
	cpe:2.3:a:redhat:community_general_collection::::::ansible::*
	cpe:2.3:a:redhat:community_general_collection::::::ansible::*
	cpe:2.3:a:redhat:community_network_collection::::::ansible::*
	cpe:2.3:a:redhat:community_network_collection::::::ansible::*
	cpe:2.3:a:redhat:docker_community_collection::::::ansible::*
	cpe:2.3:a:redhat:google_cloud_platform_ansible_collection:1.0.2:::::::*

Information

Published : 2021-05-26 14:15

Updated : 2021-06-03 06:59

NVD link : CVE-2021-20191

Mitre link : CVE-2021-20191

JSON object : View

CWE

CWE-532

Insertion of Sensitive Information into Log File

Advertisement

Products Affected

redhat

cisco_nx-os_collection
google_cloud_platform_ansible_collection
ansible
ansible_tower
community_general_collection
docker_community_collection
community_network_collection

oracle

virtualization

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813", "tags": ["Issue Tracking", "Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-532"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-20191", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "LOW", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}}, "publishedDate": "2021-05-26T21:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:virtualization:4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.8.19"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.9.18", "versionStartIncluding": "2.9.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.10.7", "versionStartIncluding": "2.10.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:cisco_nx-os_collection:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.4.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:community_general_collection:*:*:*:*:*:ansible:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.6"}, {"cpe23Uri": "cpe:2.3:a:redhat:community_general_collection:*:*:*:*:*:ansible:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.0.1", "versionStartIncluding": "2.0.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:community_network_collection:*:*:*:*:*:ansible:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.2"}, {"cpe23Uri": "cpe:2.3:a:redhat:community_network_collection:*:*:*:*:*:ansible:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.0.1", "versionStartIncluding": "2.0.0"}, {"cpe23Uri": "cpe:2.3:a:redhat:docker_community_collection:*:*:*:*:*:ansible:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.2.2"}, {"cpe23Uri": "cpe:2.3:a:redhat:google_cloud_platform_ansible_collection:1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-06-03T13:59Z"}