Fedora Account System
Red Hat Associate
Red Hat Customer
Hi Red Hat Security Team, I am reporting a vulnerability in community.general v13.0.0 Module: plugins/modules/keyring_info.py CVSS 3.1: 5.5 MEDIUM — AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Issue: The module retrieves a passphrase from the OS native keyring (GNOME Keyring, macOS Keychain, Windows Credential Manager) and places it directly into result["passphrase"] with no output suppression, no no_log protection, and no documentation warning.
This flaw affects the community.general Ansible collection's keyring_info module in all versions since its introduction in version 5.2.0. Red Hat ships ansible-collection-community-general in several product streams (EPEL, Fedora, OpenStack). The module returns OS keyring passphrases in plaintext in Ansible task output, making them visible in logs and monitoring systems. As a workaround, users should add no_log: true at the task level when using this module. The companion keyring module (write-side) is not affected.