Subject: [ASA-202102-9] ansible: information disclosure Arch Linux Security Advisory ASA-202102-9 ========================================= Severity: Medium Date : 2021-02-06 CVE-ID : CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 Package : ansible Type : information disclosure Remote : No Link : https://security.archlinux.org/AVG-1437 Summary ======= The package ansible before version 2.10.7-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.10.7-1. # pacman -Syu "ansible>=2.10.7-1" The problems have been fixed upstream in version 2.10.7. Workaround ========== None. Description =========== - CVE-2021-20178 (information disclosure) A flaw was found in Ansible before version 2.10.6 where the 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. - CVE-2021-20180 (information disclosure) A flaw was found in Ansible before version 2.10.6 where credentials such as secrets are being disclosed in console log by default and not protected by secured feature when using bitbucket_pipeline_variable module. An attacker can take advantage of this information to steal bitbucket_pipeline credentials. - CVE-2021-20191 (information disclosure) A flaw was found in ansible-collection where credentials such as secrets are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. Impact ====== A local attacker can access sensitive information like credentials and keys. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1914774 https://github.com/ansible-collections/community.general/pull/1621 https://github.com/ansible-collections/community.general/commit/fa2d2d6971d668f82207dd3e265820fdb4b0048d https://bugzilla.redhat.com/show_bug.cgi?id=1915808 https://github.com/ansible-collections/community.general/pull/1635 https://github.com/ansible-collections/community.general/commit/a3f08377b2000f8e179e361bcfef4afec18ba1e5 https://bugzilla.redhat.com/show_bug.cgi?id=1916813 https://github.com/ansible-collections/cisco.nxos/pull/227 https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa https://security.archlinux.org/CVE-2021-20178 https://security.archlinux.org/CVE-2021-20180 https://security.archlinux.org/CVE-2021-20191