Vulnerability Description
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible | < 2.9.18 |
| Redhat | Ansible Tower | 3.0 |
| Fedoraproject | Fedora | 32 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1914774Issue TrackingVendor Advisory
- https://github.com/ansible-collections/community.general/pull/1635%2C
- https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#se
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://bugzilla.redhat.com/show_bug.cgi?id=1914774Issue TrackingVendor Advisory
- https://github.com/ansible-collections/community.general/pull/1635%2C
- https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#se
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-20178?
CVE-2021-20178 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw ...
How severe is CVE-2021-20178?
CVE-2021-20178 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20178?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible, Redhat Ansible Tower, Fedoraproject Fedora.