FKIE_CVE-2021-20191

Vulnerability from fkie_nvd - Published: 2021-05-26 21:15 - Updated: 2024-11-21 05:46
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
References
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=1916813Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=1916813Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
Impacted products
Vendor Product Version
oracle virtualization 4.0
redhat ansible *
redhat ansible *
redhat ansible *
redhat ansible_tower 3.0
redhat cisco_nx-os_collection *
redhat community_general_collection *
redhat community_general_collection *
redhat community_network_collection *
redhat community_network_collection *
redhat docker_community_collection *
redhat google_cloud_platform_ansible_collection 1.0.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:virtualization:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A303983A-E6D6-4CBC-B2DC-0293EFB623AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5863EEF1-48B9-4DCC-A34C-5881E5588C19",
              "versionEndExcluding": "2.8.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D02759E-9C13-45D9-B86D-282A1150AF9B",
              "versionEndExcluding": "2.9.18",
              "versionStartIncluding": "2.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "17362C62-F75B-456C-9E10-475DF200937E",
              "versionEndExcluding": "2.10.7",
              "versionStartIncluding": "2.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "B31C575C-06D2-4CAF-A5B7-B9469B3ED55F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cisco_nx-os_collection:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F583BB1E-C512-4101-8E08-8BAEEBA919AE",
              "versionEndExcluding": "1.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:community_general_collection:*:*:*:*:*:ansible:*:*",
              "matchCriteriaId": "059C2063-6AFB-4741-91BA-03869574A93F",
              "versionEndExcluding": "1.3.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:community_general_collection:*:*:*:*:*:ansible:*:*",
              "matchCriteriaId": "C91F2FC2-9231-423E-89B1-6DC68F56C58E",
              "versionEndExcluding": "2.0.1",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:community_network_collection:*:*:*:*:*:ansible:*:*",
              "matchCriteriaId": "D81319F0-E840-4A76-B2B4-21F8F6E9535D",
              "versionEndExcluding": "1.3.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:community_network_collection:*:*:*:*:*:ansible:*:*",
              "matchCriteriaId": "2DFEB5AE-7E63-417A-ADA5-D7FF03E3BDD9",
              "versionEndExcluding": "2.0.1",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:docker_community_collection:*:*:*:*:*:ansible:*:*",
              "matchCriteriaId": "4C27F139-C636-47E1-8BA4-6487DE2F0801",
              "versionEndExcluding": "1.2.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:google_cloud_platform_ansible_collection:1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "2D000027-CB3B-4465-B0B6-546B334A8D58",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un fallo en ansible.\u0026#xa0;Las credenciales, como los secretos, son divulgadas en el registro de la consola por defecto y no est\u00e1n protegidas por la funci\u00f3n no_log cuando son usados esos m\u00f3dulos.\u0026#xa0;Un atacante puede tomar ventaja de esta informaci\u00f3n para robar esas credenciales.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos.\u0026#xa0;Las versiones anteriores a ansible versi\u00f3n 2.9.18 est\u00e1n afectadas"
    }
  ],
  "id": "CVE-2021-20191",
  "lastModified": "2024-11-21T05:46:06.130",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-05-26T21:15:08.193",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916813"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.