Bug 1975767 (CVE-2021-3620) - CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in traceback error message
Summary: CVE-2021-3620 Ansible: ansible-connection module discloses sensitive info in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3620
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1977598 1976206 1976863 1976864 1976865 1977086 1977592 1977593 1977599 1977600 2014239
Blocks: 1969893 1975967
TreeView+ depends on / blocked
 
Reported: 2021-06-24 11:08 UTC by Tapas Jena
Modified: 2021-12-29 11:19 UTC (History)
56 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-10-14 20:08:20 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3877 0 None None None 2021-10-18 10:42:24 UTC
Red Hat Product Errata RHBA-2021:3883 0 None None None 2021-10-18 14:01:28 UTC
Red Hat Product Errata RHBA-2021:4131 0 None None None 2021-11-04 16:18:58 UTC
Red Hat Product Errata RHSA-2021:3871 0 None None None 2021-10-14 19:40:23 UTC
Red Hat Product Errata RHSA-2021:3872 0 None None None 2021-10-14 19:40:58 UTC
Red Hat Product Errata RHSA-2021:3874 0 None None None 2021-10-14 20:19:22 UTC
Red Hat Product Errata RHSA-2021:4703 0 None None None 2021-11-16 14:45:42 UTC
Red Hat Product Errata RHSA-2021:4750 0 None None None 2021-11-19 19:21:49 UTC

Comment 3 Salvatore Bonaccorso 2021-06-27 20:10:54 UTC
Any details (report upstream, fixing commits, etc ...) on this issue available?

Comment 4 Tapas Jena 2021-06-28 07:18:46 UTC
Hi @carnil,

You can refer the below link regarding the possible fix :
github.com/dalrrard/ansible/blob/devel/lib/ansible/module_utils/connection.py

Comment 5 Gianluca Gabrielli 2021-06-28 09:20:01 UTC
(In reply to Salvatore Bonaccorso from comment #3)
> Any details (report upstream, fixing commits, etc ...) on this issue
> available?

fe28767 [0] seems to be the fixing commit, if you find something more please share.

[0] https://github.com/dalrrard/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0

Comment 28 errata-xmlrpc 2021-10-14 19:40:21 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 7
  Red Hat Ansible Engine 2.9 for RHEL 8

Via RHSA-2021:3871 https://access.redhat.com/errata/RHSA-2021:3871

Comment 29 errata-xmlrpc 2021-10-14 19:40:56 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7
  Red Hat Ansible Engine 2 for RHEL 8

Via RHSA-2021:3872 https://access.redhat.com/errata/RHSA-2021:3872

Comment 30 Product Security DevOps Team 2021-10-14 20:08:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3620

Comment 31 errata-xmlrpc 2021-10-14 20:19:19 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2021:3874 https://access.redhat.com/errata/RHSA-2021:3874

Comment 32 errata-xmlrpc 2021-11-16 14:45:38 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
  Red Hat Virtualization Engine 4.4
  Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8

Via RHSA-2021:4703 https://access.redhat.com/errata/RHSA-2021:4703

Comment 33 errata-xmlrpc 2021-11-19 19:21:46 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:4750 https://access.redhat.com/errata/RHSA-2021:4750

Comment 35 Tapas Jena 2021-12-29 11:19:05 UTC
Hi @psampaio,

Yes, we do have the "Fixed In" version for this bug. The concerned bug i.e. CVE-2021-3620 has been fixed in Ansible Engine 2.9.27. Please refer https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes for the same.

Let me know if you need any further info on this.


Note You need to log in before you can comment on or make changes to this bug.