835608 – (CVE-2021-20180) <app-admin/ansible-7.7.0: bitbucket_pipeline_variable secret leakage into logs

Bug 835608 (CVE-2021-20180) - <app-admin/ansible-7.7.0: bitbucket_pipeline_variable secret leakage into logs

Summary: <app-admin/ansible-7.7.0: bitbucket_pipeline_variable secret leakage into logs

Status:	RESOLVED FIXED

Alias:	CVE-2021-20180

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2022-03-19 04:01 UTC by John Helmert III
Modified:	2023-10-26 11:56 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-03-19 04:01:18 UTC

CVE-2021-20180:

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

RedHat doesn't give us any upstream reference here.

Comment 1 Hans de Graaff gentoo-dev

2023-10-26 11:56:44 UTC

Fixed in https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc which is released in version 2.0.0 of the community.general project: https://github.com/ansible-collections/community.general/blob/stable-2/CHANGELOG.rst

The oldest version of ansible in gentoo (7.7.0) contains ansible_collections 6.x.