CVE-2021-20178
Disclosure of Sensitive Information vulnerability in ansible (PyPI)
What is CVE-2021-20178 About?
This flaw in an Ansible module (bitbucket_pipeline_variable) discloses credentials in console logs by default, bypassing security features. This allows attackers to steal Bitbucket Pipeline credentials, leading to a high impact on confidentiality. The vulnerability is easy to exploit.
Affected Software
Technical Details
A vulnerability exists within an Ansible module, specifically when using the bitbucket_pipeline_variable module. This module, intended for managing Bitbucket pipeline variables, fails to adequately protect sensitive information. By default, credentials, such as API tokens or passwords, are inadvertently printed to the console logs during Ansible playbook execution. This occurs because the module does not properly utilize or respect Ansible's built-in security features designed to redact or obfuscate sensitive data from logs. Consequently, any attacker with access to these console logs can easily extract the Bitbucket Pipeline credentials, leading to unauthorized access to associated Bitbucket resources and repositories.
What is the Impact of CVE-2021-20178?
Successful exploitation may allow attackers to steal credentials, gain unauthorized access to sensitive systems, or compromise confidential project data.
What is the Exploitability of CVE-2021-20178?
Exploitation of this vulnerability is straightforward and requires access to the console logs where Ansible playbooks are executed. This implies an authenticated user with permissions to view logs, or physical access. No special privileges are required beyond log access. This is primarily a local access vulnerability, though an attacker could potentially gain remote access to logs through other means. The risk is significantly increased in environments where log access is broad or not properly secured, allowing sensitive credentials to be exposed. No complex prerequisites are necessary.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-20178?
Available Upgrade Options
- ansible
- <2.9.18 → Upgrade to 2.9.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible-collections/community.general/pull/1635%2C
- https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#security-fixes%2C
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIU7QZUV73U6ZQ65VJWSFBTCALVXLH55/
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-106.yaml
- https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#security-fixes,
- https://osv.dev/vulnerability/GHSA-wv5p-gmmv-wh9v
- https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUQ2QKAQA5OW2TY3ACZZMFIAJ2EQTG37/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIU7QZUV73U6ZQ65VJWSFBTCALVXLH55/
- https://nvd.nist.gov/vuln/detail/CVE-2021-20178
What are Similar Vulnerabilities to CVE-2021-20178?
Similar Vulnerabilities: CVE-2023-45899 , CVE-2023-42470 , CVE-2022-2900 , CVE-2022-27663 , CVE-2021-4190
