Bugzilla – Bug 1189638
VUL-0: CVE-2021-3681: ansible1,ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
Last modified: 2022-11-01 07:59:05 UTC
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets. References: https://bugzilla.redhat.com/show_bug.cgi?id=1989407 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3681
This bug has been confirmed by redhat, but no patch has been released yet.
SOC 8 ans SOC 9 are under LTSS, only CVE's with cvss base score higher than 7 are taken into account, thus in this case no action. Back to Security team.