#VU50429 Inclusion of Sensitive Information in Log Files in Ansible


Published: 2021-02-09 | Updated: 2021-02-22

Vulnerability identifier: #VU50429

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20180

CWE-ID: CWE-532

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ansible: 2.10.0 - 2.10.5


CPE

External links
http://security.archlinux.org/advisory/ASA-202102-9
http://bugzilla.redhat.com/show_bug.cgi?id=1915808
http://github.com/ansible-collections/community.general/pull/1635
http://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability