Bug 1989407 (CVE-2021-3681) - CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
Summary: CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections...
Keywords:
Status: NEW
Alias: CVE-2021-3681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1989831 2022835 2022836 2022837
Blocks: 1989747 1984436
TreeView+ depends on / blocked
 
Reported: 2021-08-03 07:25 UTC by Tapas Jena
Modified: 2021-11-12 17:35 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Tapas Jena 2021-08-03 07:25:44 UTC
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.

Comment 3 Tapas Jena 2021-08-04 06:56:13 UTC
Analysis is complete for Ansible components and found to be a valid security bug. Required trackers have been created.

Comment 5 Tapas Jena 2021-11-12 17:35:40 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 2022836]
Affects: fedora-all [bug 2022835]
Affects: openstack-rdo [bug 2022837]


Note You need to log in before you can comment on or make changes to this bug.