CVE-2021-20191
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-20191.html
Vendor advisory: arch — https://security.archlinux.org/ASA-202102-9
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-20191
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 2.10.7-1 |
| debian | bookworm | fixed | 2.10.7-1 |
| debian | forky | fixed | 2.10.7-1 |
| debian | sid | fixed | 2.10.7-1 |
| debian | trixie | fixed | 2.10.7-1 |
| arch | fixed | 2.10.7-1 | |
| sles | affected | |
References
- https://security-tracker.debian.org/tracker/CVE-2021-20191
- https://security.archlinux.org/ASA-202102-9
- https://nvd.nist.gov/vuln/detail/CVE-2021-20191
- https://github.com/ansible/ansible/pull/73488
- https://github.com/ansible/ansible/pull/73489
- https://github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0
- https://github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc
- https://access.redhat.com/security/cve/cve-2021-20191
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813
- https://github.com/advisories/GHSA-8f4m-hccc-8qph
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://www.suse.com/security/cve/CVE-2021-20191.html
Verify integrity in audit chain (admin only). AS-IS.