CVE-2021-20191
First published: Fri Jan 15 2021(Updated: )
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <0:2.9.18-1.el7ae | 0:2.9.18-1.el7ae |
| redhat/ansible | <0:2.9.18-1.el8ae | 0:2.9.18-1.el8ae |
| Oracle Virtualization | =4.0 | |
| Redhat Ansible | <2.8.19 | |
| Redhat Ansible | >=2.9.0<2.9.18 | |
| Redhat Ansible | >=2.10.0<2.10.7 | |
| Redhat Ansible Tower | =3.0 | |
| Redhat Cisco Nx-os Collection | <1.4.0 | |
| Redhat Community General Collection | <1.3.6 | |
| Redhat Community General Collection | >=2.0.0<2.0.1 | |
| Redhat Community Network Collection | <1.3.2 | |
| Redhat Community Network Collection | >=2.0.0<2.0.1 | |
| Redhat Docker Community Collection | <1.2.2 | |
| Redhat Google Cloud Platform Ansible Collection | =1.0.2 | |
| redhat/ansible | <2.9.18 | 2.9.18 |
| pip/ansible | >=2.10.0a1<2.10.7 | 2.10.7 |
| pip/ansible | <2.8.19rc1 | 2.8.19rc1 |
| pip/ansible | >=2.9.0a1<2.9.18rc1 | 2.9.18rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20191 https://nvd.nist.gov/vuln/detail/CVE-2021-20191
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813
- https://access.redhat.com/errata/RHSA-2021:1079
- https://access.redhat.com/errata/RHSA-2021:0664
- https://access.redhat.com/errata/RHSA-2021:0663
- https://access.redhat.com/errata/RHSA-2021:2180
- https://access.redhat.com/security/cve/cve-2021-20191
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20191
- https://github.com/ansible/ansible/pull/73488
- https://github.com/ansible/ansible/pull/73489
- https://github.com/advisories/GHSA-8f4m-hccc-8qph (Advisory)
- https://github.com/ansible-collections/cisco.nxos/pull/227
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917474
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917473
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1917475
- https://github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0
- https://github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-20191?
CVE-2021-20191 is a vulnerability in Ansible that allows credentials, such as secrets, to be disclosed in the console log.
How can an attacker exploit CVE-2021-20191?
An attacker can take advantage of CVE-2021-20191 to steal credentials by accessing the disclosed information in the console log.
What is the severity of CVE-2021-20191?
CVE-2021-20191 has a severity rating of 5.5 (Medium).
Which software versions are affected by CVE-2021-20191?
Ansible versions 2.10.0 to 2.10.7, 2.8.19, and 2.9.0 to 2.9.18 are affected by CVE-2021-20191.
How can I fix CVE-2021-20191?
To fix CVE-2021-20191, you should update Ansible to version 2.10.7, 2.8.19, or 2.9.18, depending on your current version.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/severity
- agent/description
- agent/weakness
- collector/nvd-cve
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20191
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8f4m-hccc-8qph
- agent/references
- agent/last-modified-date
- agent/tags
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- package-manager/redhat
- vendor/oracle
- canonical/oracle virtualization
- version/oracle virtualization/4.0
- vendor/redhat
- canonical/redhat ansible
- version/redhat ansible/2.9.0
- version/redhat ansible/2.10.0
- canonical/redhat ansible tower
- version/redhat ansible tower/3.0
- canonical/redhat cisco nx-os collection
- canonical/redhat community general collection
- version/redhat community general collection/2.0.0
- canonical/redhat community network collection
- version/redhat community network collection/2.0.0
- canonical/redhat docker community collection
- canonical/redhat google cloud platform ansible collection
- version/redhat google cloud platform ansible collection/1.0.2
- package-manager/pip