Bug 1989407 (CVE-2021-3681) - CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
Summary: CVE-2021-3681 ansible: Secrets leakage vulnerability with ansible collections...
Keywords:
Status: NEW
Alias: CVE-2021-3681
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1989831 2022835 2022836 2022837
Blocks: 1984436 1989747
TreeView+ depends on / blocked
 
Reported: 2021-08-03 07:25 UTC by Tapas Jena
Modified: 2025-04-01 08:28 UTC (History)
24 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Tapas Jena 2021-08-03 07:25:44 UTC 
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.
Comment 3 Tapas Jena 2021-08-04 06:56:13 UTC 
Analysis is complete for Ansible components and found to be a valid security bug. Required trackers have been created.
Comment 5 Tapas Jena 2021-11-12 17:35:40 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 2022836]
Affects: fedora-all [bug 2022835]
Affects: openstack-rdo [bug 2022837]
Note You need to log in before you can comment on or make changes to this bug.