Vulnerability Description
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Virtualization | 4.0 |
| Redhat | Ansible | < 2.8.19 |
| Redhat | Ansible Tower | 3.0 |
| Redhat | Cisco Nx-Os Collection | < 1.4.0 |
| Redhat | Community General Collection | < 1.3.6 |
| Redhat | Community Network Collection | < 1.3.2 |
| Redhat | Docker Community Collection | < 1.2.2 |
| Redhat | Google Cloud Platform Ansible Collection | 1.0.2 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813Issue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813Issue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
FAQ
What is CVE-2021-20191?
CVE-2021-20191 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of...
How severe is CVE-2021-20191?
CVE-2021-20191 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-20191?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Virtualization, Redhat Ansible, Redhat Ansible Tower, Redhat Cisco Nx-Os Collection, Redhat Community General Collection.