CVE-2021-20191: Insertion of Sensitive Information into Log File in ansible
(updated )
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
References
- access.redhat.com/security/cve/cve-2021-20191
- bugzilla.redhat.com/show_bug.cgi?id=1916813
- github.com/advisories/GHSA-8f4m-hccc-8qph
- github.com/ansible/ansible
- github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0
- github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc
- github.com/ansible/ansible/pull/73488
- github.com/ansible/ansible/pull/73489
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml
- lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- nvd.nist.gov/vuln/detail/CVE-2021-20191
Detect and mitigate CVE-2021-20191 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →