Bugzilla – Bug 1187725
VUL-0: CVE-2021-3620: ansible1,ansible: ansible-connection module discloses sensitive info in traceback error message
Last modified: 2022-05-30 15:13:19 UTC
A flaw was found in Ansible Engine's ansible-connection module where sensitive info like the ansible user credentials are disclosed by default in the traceback error message. The highest threat out of this vulnerability is to Confidentiality.
- SUSE:SLE-11-SP3:Update:Teradata/ansible 2.9.22
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible 2.9.22
- SUSE:SLE-15:Update/ansible 2.9.21
- SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible 2.9.21
- openSUSE:Factory/ansible 2.9.23
Upstream patch .
The Ansible engineering team said that the current fix addresses (Partially) this specific issue. The correct fix is still under development  and will be included at earliest the Sept 13 with release of 2.9.26.
So, @Matej please hold on with this bug.
An update from RH  stands that the security bug was not addressed in 2.9.26 and it will in 2.9.27.
The patch is now available , can you please backport it?
SUSE-SU-2021:4152-1: An update that solves two vulnerabilities and has one errata is now available.
Category: security (important)
Bug References: 1176460,1187725,1188061
CVE References: CVE-2021-3583,CVE-2021-3620
SUSE OpenStack Cloud Crowbar 8 (src): ansible-2.9.27-3.21.1
SUSE OpenStack Cloud 8 (src): ansible-2.9.27-3.21.1
HPE Helion Openstack 8 (src): ansible-2.9.27-3.21.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
are you responsible for SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible, it requires a submission as well.
Moreover, I don't see submissions for: