What is CVE-2021-20228?

CVE-2021-20228 is a vulnerability in Ansible Engine where sensitive information is not masked by default and can be obtained by an attacker.

How severe is CVE-2021-20228?

CVE-2021-20228 has a severity rating of 7.5 (high).

What software is affected by CVE-2021-20228?

Ansible Engine versions from 2.8.0 to 2.8.19, 2.9.0 to 2.9.18, and 2.10.0 to 2.10.7 are affected. Redhat Ansible Engine 2.9.18 and Ansible versions 0:2.9.18-1.el7ae and 0:2.9.18-1.el8ae are also affected.

How can I fix CVE-2021-20228?

To fix CVE-2021-20228, update your Ansible Engine to version 2.8.19, 2.9.18, or 2.10.7.

Where can I find more information about CVE-2021-20228?

You can find more information about CVE-2021-20228 on the NIST National Vulnerability Database (NVD) website and the relevant GitHub pull requests (PR #73487 and PR #73492).

Vulnerability/
CVE-2021-20228

high

7.5

CWE

200 522

29/1/2021

29/4/2021

25/5/2022

9/9/2024

CVE-2021-20228: Infoleak

First published: Fri Jan 29 2021(Updated: )

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/ansible	<0:2.9.18-1.el7ae	0:2.9.18-1.el7ae
redhat/ansible	<0:2.9.18-1.el8ae	0:2.9.18-1.el8ae
Redhat Ansible Engine	=2.9.18
Redhat Ansible Automation Platform	=1.2
Redhat Ansible Engine	=2.0
Redhat Ansible Engine	=2.9
Redhat Ansible Tower	=3.0
Debian Debian Linux	=10.0
debian/ansible		2.7.7+dfsg-1+deb10u1 2.7.7+dfsg-1+deb10u2 2.10.7+merged+base+2.10.8+dfsg-1 7.3.0+dfsg-1 7.7.0+dfsg-3
redhat/ansible-engine	<2.9.18	2.9.18
pip/ansible	<2.8.19rc1	2.8.19rc1
pip/ansible	>=2.9.0a1<2.9.18rc1	2.9.18rc1
pip/ansible	>=2.10.0a1<2.10.6rc1	2.10.6rc1

Remedy

https://github.com/ansible/ansible/pull/73487

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-20228?
CVE-2021-20228 is a vulnerability in Ansible Engine where sensitive information is not masked by default and can be obtained by an attacker.
How severe is CVE-2021-20228?
CVE-2021-20228 has a severity rating of 7.5 (high).
What software is affected by CVE-2021-20228?
Ansible Engine versions from 2.8.0 to 2.8.19, 2.9.0 to 2.9.18, and 2.10.0 to 2.10.7 are affected. Redhat Ansible Engine 2.9.18 and Ansible versions 0:2.9.18-1.el7ae and 0:2.9.18-1.el8ae are also affected.
How can I fix CVE-2021-20228?
To fix CVE-2021-20228, update your Ansible Engine to version 2.8.19, 2.9.18, or 2.10.7.
Where can I find more information about CVE-2021-20228?
You can find more information about CVE-2021-20228 on the NIST National Vulnerability Database (NVD) website and the relevant GitHub pull requests (PR #73487 and PR #73492).

collector/redhat-cve
collector/nvd-index
collector/security-tracker-debian
agent/author
agent/type
agent/first-publish-date
agent/remedy
agent/severity
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-20228
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-5rrg-rr89-x9mv
agent/last-modified-date
agent/references
agent/description
agent/softwarecombine
collector/nvd-cve
source/NVD
agent/tags
collector/github-advisory
package-manager/redhat
vendor/redhat
canonical/redhat ansible engine
version/redhat ansible engine/2.9.18
canonical/redhat ansible automation platform
version/redhat ansible automation platform/1.2
version/redhat ansible engine/2.0
version/redhat ansible engine/2.9
canonical/redhat ansible tower
version/redhat ansible tower/3.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
package-manager/debian
package-manager/pip