Bug 1915808 (CVE-2021-20180) - CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured values
Summary: CVE-2021-20180 ansible module: bitbucket_pipeline_variable exposes secured va...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20180
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1915810 1917464 1917466 1917467 1915809 1915811 1917463 1917465 1917468 1962577
Blocks: 1932801 1908416
TreeView+ depends on / blocked
 
Reported: 2021-01-13 13:16 UTC by Tapas Jena
Modified: 2021-06-01 13:23 UTC (History)
38 users (show)

Fixed In Version: ansible 2.9.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-02-24 19:02:30 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0663 0 None None None 2021-02-24 17:46:14 UTC
Red Hat Product Errata RHSA-2021:0664 0 None None None 2021-02-24 17:46:58 UTC

Description Tapas Jena 2021-01-13 13:16:11 UTC
The bitbucket_pipeline module leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Comment 1 Tapas Jena 2021-01-13 13:16:17 UTC
Acknowledgments:

Name: Abhijeet Kasurde (Red Hat)

Comment 5 Tapas Jena 2021-01-18 14:35:51 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1917465]
Affects: fedora-all [bug 1917463]
Affects: openstack-rdo [bug 1917464]

Comment 12 RaTasha Tillery-Smith 2021-02-04 19:00:40 UTC
Statement:

The version of Ansible provided in Red Hat Gluster Storage 3 does not contain the vulnerable bitbucket module and is not affected by this vulnerability. However, Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which includes bug and security fixes.

Comment 14 errata-xmlrpc 2021-02-24 17:46:11 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:0663 https://access.redhat.com/errata/RHSA-2021:0663

Comment 15 errata-xmlrpc 2021-02-24 17:46:56 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:0664 https://access.redhat.com/errata/RHSA-2021:0664

Comment 16 Product Security DevOps Team 2021-02-24 19:02:30 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20180

Comment 18 errata-xmlrpc 2021-04-06 13:20:45 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 1.2 for RHEL 7

Via RHSA-2021:1079 https://access.redhat.com/errata/RHSA-2021:1079

Comment 21 errata-xmlrpc 2021-06-01 13:23:35 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:2180 https://access.redhat.com/errata/RHSA-2021:2180


Note You need to log in before you can comment on or make changes to this bug.