The bitbucket_pipeline module leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.
Acknowledgments: Name: Abhijeet Kasurde (Red Hat)
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1917465] Affects: fedora-all [bug 1917463] Affects: openstack-rdo [bug 1917464]
Statement: The version of Ansible provided in Red Hat Gluster Storage 3 does not contain the vulnerable bitbucket module and is not affected by this vulnerability. However, Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which includes bug and security fixes.
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 8 Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663
This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20180
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 1.2 for RHEL 7 Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180