Bug 1915808 (CVE-2021-20180)
Summary: | CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured values | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tapas Jena <tjena> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a.badger, bcoca, btarraso, carnil, cmeyers, dbecker, dblechte, dfediuck, eedri, gblomqui, hvyas, jcammara, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, mgoldboi, michal.skrivanek, msiddiqu, notting, puebele, relrod, rpetrell, sbonazzo, sclewis, sdoran, sherold, slinaber, smcdonal, tkuratom, tuxmealux+redhatbz, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible 2.9.18 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-24 19:02:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1915809, 1915810, 1915811, 1917463, 1917464, 1917465, 1917466, 1917467, 1917468, 1962577 | ||
Bug Blocks: | 1908416, 1932801 |
Description
Tapas Jena
2021-01-13 13:16:11 UTC
Acknowledgments: Name: Abhijeet Kasurde (Red Hat) Created ansible tracking bugs for this issue: Affects: epel-all [bug 1917465] Affects: fedora-all [bug 1917463] Affects: openstack-rdo [bug 1917464] Statement: The version of Ansible provided in Red Hat Gluster Storage 3 does not contain the vulnerable bitbucket module and is not affected by this vulnerability. However, Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which includes bug and security fixes. This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 8 Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663 This issue has been addressed in the following products: Red Hat Ansible Engine 2.9 for RHEL 8 Red Hat Ansible Engine 2.9 for RHEL 7 Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20180 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 1.2 for RHEL 7 Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Red Hat Virtualization Engine 4.4 Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180 |