Subject: [ASA-202102-30] ansible-base: information disclosure Arch Linux Security Advisory ASA-202102-30 ========================================== Severity: Medium Date : 2021-02-20 CVE-ID : CVE-2021-20228 Package : ansible-base Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1562 Summary ======= The package ansible-base before version 2.10.6-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.10.6-1. # pacman -Syu "ansible-base>=2.10.6-1" The problem has been fixed upstream in version 2.10.6. Workaround ========== None. Description =========== A flaw was found in the Ansible Engine, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. Impact ====== A local attacker is able to disclose sensitive information when running an Ansible playbook. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1925002 https://github.com/ansible/ansible/pull/73487 https://github.com/ansible/ansible/commit/e41d1f0a3fd6c466192e7e24accd3d1c6501111b https://security.archlinux.org/CVE-2021-20228