Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835608 (CVE-2021-20180)

Summary: <app-admin/ansible-7.7.0: bitbucket_pipeline_variable secret leakage into logs
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: monsieurp, prometheanfire
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-19 04:01:18 UTC 
CVE-2021-20180:

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

RedHat doesn't give us any upstream reference here.
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-26 11:56:44 UTC 
Fixed in https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc which is released in version 2.0.0 of the community.general project: https://github.com/ansible-collections/community.general/blob/stable-2/CHANGELOG.rst

The oldest version of ansible in gentoo (7.7.0) contains ansible_collections 6.x.