CVE-2021-20191

NameCVE-2021-20191
DescriptionA flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs985753

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)stretch2.2.1.0-2+deb9u1vulnerable
stretch (security)2.2.1.0-2+deb9u2vulnerable
buster2.7.7+dfsg-1vulnerable
bullseye, sid2.10.7+merged+base+2.10.8+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)(unfixed)985753

Notes

[bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1916813
https://github.com/ansible-collections/cisco.nxos/pull/227
https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa

Search for package or bug name: Reporting problems