Source: ansible X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for ansible. CVE-2021-3447[0]: | A flaw was found in several ansible modules, where parameters | containing credentials, such as secrets, were being logged in plain- | text on managed nodes, as well as being made visible on the controller | node when run in verbose mode. These parameters were not protected by | the no_log feature. An attacker can take advantage of this information | to steal those credentials, provided when they have access to the log | files containing them. The highest threat from this vulnerability is | to data confidentiality. This flaw affects Red Hat Ansible Automation | Platform in versions before 1.2.2 and Ansible Tower in versions before | 3.8.2. Red Hat Bugzilla seems to be the original report here: https://bugzilla.redhat.com/show_bug.cgi?id=1939349 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3447 Please adjust the affected versions in the BTS as needed.
