CVE-2021-20191
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2021-20191 About?
A flaw in Ansible causes credentials and secrets to be disclosed in console logs by default, bypassing the `no_log` feature. This vulnerability allows an attacker to steal sensitive credentials. It is easy to exploit if an attacker has access to the logs.
Affected Software
- ansible
- >2.9.0a1, <2.9.18rc1
- >2.10.0a1, <2.10.7
- <2.8.19
- <2.8.19rc1
Technical Details
This vulnerability exists within Ansible where credentials and secrets, which should be protected, are inadvertently disclosed directly in console logs. The no_log feature, intended to prevent sensitive information from appearing in logs, fails to properly secure these credentials when certain modules are used. An attacker with access to the system's console logs can simply read them to obtain these sensitive credentials, such as API keys, passwords, or other secrets. This oversight breaks the confidentiality of the credentials, making them easily accessible to anyone who can view the logs.
What is the Impact of CVE-2021-20191?
Successful exploitation may allow attackers to steal sensitive credentials, leading to unauthorized access to systems or data and a loss of data confidentiality.
What is the Exploitability of CVE-2021-20191?
Exploitation of this vulnerability is straightforward, primarily requiring an attacker to gain access to the console logs of systems running the vulnerable Ansible configurations. There are no technical prerequisites for triggering the disclosure, as it happens by default. Authentication and privilege requirements depend on the method of accessing the logs (e.g., local file system access or remote log management systems). The vulnerability is local if accessing local logs, or potentially remote if logs are centralized and accessible remotely. The main condition is that the vulnerable Ansible modules are being used and their output is being logged. Risk factors significantly increase if system logs are not properly secured or are accessible to unauthorized individuals.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-20191?
Available Upgrade Options
- ansible
- <2.8.19rc1 → Upgrade to 2.8.19rc1
- ansible
- <2.8.19 → Upgrade to 2.8.19
- ansible
- >2.9.0a1, <2.9.18rc1 → Upgrade to 2.9.18rc1
- ansible
- >2.10.0a1, <2.10.7 → Upgrade to 2.10.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/pull/73488
- https://access.redhat.com/security/cve/cve-2021-20191
- https://github.com/ansible/ansible/commit/d74a1b1d1325af2a24848044cf2858987f5a3ecc
- https://github.com/advisories/GHSA-8f4m-hccc-8qph
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-124.yaml
- https://github.com/ansible/ansible/commit/cc82d986c40328d4ae81298a9d287c95a6326bb0
- https://nvd.nist.gov/vuln/detail/CVE-2021-20191
- https://bugzilla.redhat.com/show_bug.cgi?id=1916813
What are Similar Vulnerabilities to CVE-2021-20191?
Similar Vulnerabilities: CVE-2021-21429 , CVE-2022-2144 , CVE-2022-45097 , CVE-2022-2357 , CVE-2021-23611
