Multiple vulnerabilities in Red Hat Ansible



Published: 2021-02-09 | Updated: 2021-02-22
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-20180
CVE-2021-20178
CWE-ID CWE-532
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

Updated 22.02.2021

Added fixed version.

1) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU50429

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20180

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ansible: 2.10.0 - 2.10.5

CPE2.3 External links

http://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1915808
http://github.com/ansible-collections/community.general/pull/1635
http://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU50428

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20178

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the snmp_facts module in Ansible discloses 'authkey' and 'privkey' credentials. A local user with access to the output of playbook execution can obtain SNMP credentials.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ansible: 2.10.0 - 2.10.5

CPE2.3 External links

http://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1914774
http://github.com/ansible-collections/community.general/pull/1621
http://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###