Vulnerability identifier: #VU50429
Vulnerability risk: Low
CVSSv3.1:
CVE-ID:
CWE-ID:
CWE-532
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Ansible
Server applications /
Remote management servers, RDP, SSH
Vendor: Red Hat Inc.
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Ansible: 2.10.0 - 2.10.5
CPE
External links
http://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1915808
http://github.com/ansible-collections/community.general/pull/1635
http://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?