What is CVE-2021-3681?

CVE-2021-3681 is a vulnerability found in Ansible Galaxy Collections that allows sensitive files to be included in the .tar.gz file when collections are built manually.

What is the severity of CVE-2021-3681?

The severity of CVE-2021-3681 is rated as high with a severity value of 5.5.

How does CVE-2021-3681 affect Redhat Ansible Automation Platform?

Redhat Ansible Automation Platform version 1.2 is affected by CVE-2021-3681.

How does CVE-2021-3681 affect Redhat Ansible Galaxy?

Redhat Ansible Galaxy version 3.3.0 is affected by CVE-2021-3681.

How can I fix CVE-2021-3681?

To fix CVE-2021-3681, make sure to explicitly exclude sensitive files via the "build_ignore" list in "galaxy.yml" when building collections manually in Ansible Galaxy.

Vulnerability/
CVE-2021-3681

medium

5.5

CWE

522 212

3/8/2021

18/4/2022

3/8/2024

CVE-2021-3681

First published: Tue Aug 03 2021(Updated: )

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Red Hat Ansible Automation Platform	=1.2
Redhat Ansible Galaxy	=3.3.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-3681?
CVE-2021-3681 is a vulnerability found in Ansible Galaxy Collections that allows sensitive files to be included in the .tar.gz file when collections are built manually.
What is the severity of CVE-2021-3681?
The severity of CVE-2021-3681 is rated as high with a severity value of 5.5.
How does CVE-2021-3681 affect Redhat Ansible Automation Platform?
Redhat Ansible Automation Platform version 1.2 is affected by CVE-2021-3681.
How does CVE-2021-3681 affect Redhat Ansible Galaxy?
Redhat Ansible Galaxy version 3.3.0 is affected by CVE-2021-3681.
How can I fix CVE-2021-3681?
To fix CVE-2021-3681, make sure to explicitly exclude sensitive files via the "build_ignore" list in "galaxy.yml" when building collections manually in Ansible Galaxy.

agent/weakness
agent/type
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-3681
agent/author
agent/severity
agent/references
agent/last-modified-date
agent/description
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/redhat
canonical/red hat ansible automation platform
version/red hat ansible automation platform/1.2
canonical/redhat ansible galaxy
version/redhat ansible galaxy/3.3.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.