CVE-2021-20191

NameCVE-2021-20191
DescriptionA flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3695-1
Debian Bugs985753

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)buster2.7.7+dfsg-1+deb10u1vulnerable
buster (security)2.7.7+dfsg-1+deb10u2fixed
bullseye2.10.7+merged+base+2.10.8+dfsg-1vulnerable
bookworm7.3.0+dfsg-1fixed
sid7.7.0+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcestretch(unfixed)end-of-life
ansiblesourcebuster2.7.7+dfsg-1+deb10u2DLA-3695-1
ansiblesource(unstable)5.4.0-1985753

Notes

[bullseye] - ansible <no-dsa> (Minor issue)
[stretch] - ansible <end-of-life> (EOL'd for stretch)
https://bugzilla.redhat.com/show_bug.cgi?id=1916813
https://github.com/ansible-collections/cisco.nxos/pull/227
https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa

Search for package or bug name: Reporting problems