Bug 1189638 - (CVE-2021-3681) VUL-0: CVE-2021-3681: ansible1,ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
(CVE-2021-3681)
VUL-0: CVE-2021-3681: ansible1,ansible: Secrets leakage vulnerability with an...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Matej Cepl
Security Team bot
https://smash.suse.de/issue/305722/
CVSSv3.1:SUSE:CVE-2021-3681:5.0:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-20 10:35 UTC by Gianluca Gabrielli
Modified: 2022-11-01 07:59 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 10:35:39 UTC
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1989407
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3681
Comment 1 Gianluca Gabrielli 2021-08-20 10:36:30 UTC
This bug has been confirmed by redhat, but no patch has been released yet.
Comment 4 Christian Almeida de Oliveira 2022-07-01 13:57:30 UTC
SOC 8 ans SOC 9 are under LTSS, only CVE's with cvss base score higher than 7 are taken into account, thus in this case no action.
Back to Security team.