Bugzilla – Bug 1189638
VUL-0: CVE-2021-3681: ansible1,ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy
Last modified: 2022-11-01 07:59:05 UTC
When someone is manually building collections, *any files* in the repository directory that are *not* explicitly excluded via the ``build_ignore`` list in the ``galaxy.yml`` file will be included in the ``.tar.gz`` file which may include the user's Ansible Galaxy API key, any secrets in ``ansible`` or ``ansible-playbook`` verbose output without ``no_log`` redaction, or any other secrets that a developer unknowingly places in the repository directory while developing and testing the collection. Once published, anyone who downloads or installs the collection will possess the secrets.
This bug has been confirmed by redhat, but no patch has been released yet.
SOC 8 ans SOC 9 are under LTSS, only CVE's with cvss base score higher than 7 are taken into account, thus in this case no action.
Back to Security team.