Information disclosure in Ansible

CVE-2021-20178

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_p…

EPSS: 0.000 (8.4th percentile) — read the EPSS interpretation.

Affected products

N/a Ansible — versions before 2.9.18

Weakness classification (CWE)

CWE-532 — Insertion of Sensitive Information into Log File

References

FEDORA-2021-e9478617ae (vendor-advisory)
FEDORA-2021-9a0903469c (vendor-advisory)
bugzilla.redhat.com/show_bug.cgi
github.com/ansible-collections/community.general/pull/1635,
github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst
[debian-lts-announce] 20231228 [SECURITY] [DLA 3695-1] ansible security update (mailing-list)