Bug 1984755

Summary: ansible: uri module authentication leak in redirect
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, asherlan, bcoca, dbecker, dylan, gblomqui, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, patrick, rpetrell, sclewis, slinaber, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in uri module of Ansible Engine where it re-sends any Authorization header, including one created to carry url_password, on redirects. The highest threat out of this vulnerability is sensitive information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1984757, 1984758, 1984759, 1984760, 1984761    
Bug Blocks: 1980457    

Description Tapas Jena 2021-07-22 07:43:16 UTC 
The uri module is being accessed using python there and python passes Authorization headers. Though ansible has a unredirected_headers, but its not exposed to the uri module.  But it would require users to explicitly state headers they don't want to be redirected. The unredirected_headers is actually being used in galaxy requests the way mentioned in the below:

https://github.com/ansible/ansible/blob/bf7d4ce260dc4ffc6074b2a392b9ff4d3794308b/lib/ansible/galaxy/collection/concrete_artifact_manager.py#L402-L409 

So, in case of Galaxy, its already defined in the code that if its "Authorization" header, it won't be redirected.

Unredirected_headers is exposed in the url lookup plugin, but not in either get_url or uri and it will only affect to those users that use force_basic_auth, which inserts the Authorization header purposefully, or users who put Authorization in headers explicitly. 

Hence, I believe CVE is not required in such scenario, since the user has explicitly told the module to send an Authorization header with the requests. 

The best way would be submitting a feature PR for 2.12 that exposed unredirected_headers in the uri and get_url module where a new argument can be introduced to the module for the upcoming release(minor release 2.12).
Comment 2 Tapas Jena 2021-07-22 07:50:04 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1984760]
Affects: fedora-all [bug 1984759]
Affects: openstack-rdo [bug 1984761]