Bug 1915808 (CVE-2021-20180)

Summary: CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured values
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, bcoca, btarraso, carnil, cmeyers, dbecker, dblechte, dfediuck, eedri, gblomqui, hvyas, jcammara, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, mgoldboi, michal.skrivanek, msiddiqu, notting, puebele, relrod, rpetrell, sbonazzo, sclewis, sdoran, sherold, slinaber, smcdonal, tkuratom, tuxmealux+redhatbz, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible 2.9.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 19:02:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1915809, 1915810, 1915811, 1917463, 1917464, 1917465, 1917466, 1917467, 1917468, 1962577    
Bug Blocks: 1908416, 1932801    

Description Tapas Jena 2021-01-13 13:16:11 UTC 
The bitbucket_pipeline module leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.
Comment 1 Tapas Jena 2021-01-13 13:16:17 UTC 
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)
Comment 5 Tapas Jena 2021-01-18 14:35:51 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917465]
Affects: fedora-all [bug 1917463]
Affects: openstack-rdo [bug 1917464]
Comment 12 RaTasha Tillery-Smith 2021-02-04 19:00:40 UTC 
Statement:

The version of Ansible provided in Red Hat Gluster Storage 3 does not contain the vulnerable bitbucket module and is not affected by this vulnerability. However, Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which includes bug and security fixes.
Comment 14 errata-xmlrpc 2021-02-24 17:46:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663
Comment 15 errata-xmlrpc 2021-02-24 17:46:56 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664
Comment 16 Product Security DevOps Team 2021-02-24 19:02:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20180
Comment 18 errata-xmlrpc 2021-04-06 13:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079
Comment 21 errata-xmlrpc 2021-06-01 13:23:35 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180