SB2021020903 - Multiple vulnerabilities in Red Hat Ansible
Published: February 9, 2021 Updated: February 22, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20180)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the bitbucket_pipeline_variable module in ansible-collection discloses by default credentials in the console log. A local user can obtain bitbucket_pipeline credentials.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-20178)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the snmp_facts module in Ansible discloses 'authkey' and 'privkey' credentials. A local user with access to the output of playbook execution can obtain SNMP credentials.
Remediation
Install update from vendor's website.
References
- https://security.archlinux.org/advisory/ASA-202102-9
- https://bugzilla.redhat.com/show_bug.cgi?id=1915808
- https://github.com/ansible-collections/community.general/pull/1635
- https://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5
- https://bugzilla.redhat.com/show_bug.cgi?id=1914774
- https://github.com/ansible-collections/community.general/pull/1621
- https://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d