Bug 1989407 (CVE-2021-3681)

Summary: CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: a.badger, bcoca, davidn, dbecker, gblomqui, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, osapryki, patrick, relrod, rpetrell, sclewis, slinaber, smcdonal, tkuratom, tuxmealux+redhatbz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2022836, 1989831, 2022835, 2022837    
Bug Blocks: 1984436, 1989747    

Description Tapas Jena 2021-08-03 07:25:44 UTC 
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.
Comment 3 Tapas Jena 2021-08-04 06:56:13 UTC 
Analysis is complete for Ansible components and found to be a valid security bug. Required trackers have been created.
Comment 5 Tapas Jena 2021-11-12 17:35:40 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 2022836]
Affects: fedora-all [bug 2022835]
Affects: openstack-rdo [bug 2022837]