Multiple vulnerabilities in Red Hat Ansible
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-20180 CVE-2021-20178 |
| CWE-ID | CWE-532 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Ansible Server applications / Remote management servers, RDP, SSH |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
Updated 22.02.2021
Added fixed version.
1) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU50429
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-20180
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.
Install update from vendor's website.
Vulnerable software versionsAnsible: 2.10.0 - 2.10.5
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1915808
http://github.com/ansible-collections/community.general/pull/1635
http://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
2) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU50428
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2021-20178
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the snmp_facts module in Ansible discloses 'authkey' and 'privkey' credentials. A local user with access to the output of playbook execution can obtain SNMP credentials.
Install update from vendor's website.
Vulnerable software versionsAnsible: 2.10.0 - 2.10.5
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1914774
http://github.com/ansible-collections/community.general/pull/1621
http://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?
