Back to bug 1989407
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Tapas Jena | 2021-08-03 07:25:44 UTC | CC | security-response-team | |
| Pedro Sampaio | 2021-08-03 20:51:16 UTC | Summary | EMBARGOED ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy | EMBARGOED CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy |
| Alias | CVE-2021-3681 | |||
| Pedro Sampaio | 2021-08-03 20:51:49 UTC | Blocks | 1989747 | |
| Tapas Jena | 2021-08-04 06:54:32 UTC | Depends On | 1989831 | |
| Tapas Jena | 2021-08-04 07:00:13 UTC | CC | a.badger, dbecker, jjoyce, jschluet, kevin, lhh, lpeer, maxim, mburns, patrick, sclewis, slinaber | |
| Group | qe_staff, security | |||
| Summary | EMBARGOED CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy | CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy | ||
| Gianluca Gabrielli | 2021-08-04 12:29:23 UTC | CC | tuxmealux+redhatbz | |
| RaTasha Tillery-Smith | 2021-08-04 12:31:58 UTC | Doc Text | A flaw was found in Ansible Galaxy's Collections when collections are being built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in the "galaxy.yml" , files will be included in the ``.tar.gz`` file which may contain sensitive info like user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction and currently there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection will possess the secrets. The highest threat out of this vulnerability is to "Confidentiality". | A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. The highest threat from this vulnerability is to confidentiality. |
| Red Hat Bugzilla | 2021-11-02 15:42:15 UTC | CC | notting | |
| Tapas Jena | 2021-11-12 17:35:34 UTC | Depends On | 2022836, 2022837, 2022835 | |
| Red Hat Bugzilla | 2021-12-15 11:50:48 UTC | CC | cmeyers | |
| Red Hat Bugzilla | 2021-12-20 17:33:27 UTC | CC | sdoran | |
| Red Hat Bugzilla | 2022-04-23 04:25:52 UTC | CC | chousekn | |
| Red Hat Bugzilla | 2023-07-07 08:30:03 UTC | Assignee | security-response-team | nobody |
| CC | security-response-team |
Back to bug 1989407