CVE-2021-20228
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2021-20228 About?
This information disclosure flaw in Ansible Engine 2.9.18 fails to mask sensitive information by default, even when using the `no_log` feature with `basic.py` sub-options. Attackers can obtain sensitive data, primarily impacting confidentiality. Exploitation is simple, as it relies on specific module usage and the absence of default masking.
Affected Software
- ansible
- >2.9.0a1, <2.9.18rc1
- >2.10.0a1, <2.10.6rc1
- <2.8.19rc1
- <2.9.19
Technical Details
The vulnerability in Ansible Engine 2.9.18 stems from an oversight in how sensitive information is handled, particularly when using the basic.py module's sub-options. Although Ansible provides a no_log feature intended to prevent sensitive data from appearing in logs, this feature does not adequately protect sensitive information passed via sub-options of the basic.py module. Consequently, sensitive data such as passwords, API keys, or other credentials, which are intended to be masked, are actually exposed in logged output or during execution traces. An attacker with access to Ansible logs or output (e.g., through stdout during execution) can thereby obtain this sensitive information, leading to a breach of confidentiality. The flaw is that the masking mechanism is not universally applied or correctly implemented for all input vectors, specifically for sub-options of basic.py.
What is the Impact of CVE-2021-20228?
Successful exploitation may allow attackers to obtain sensitive information, leading to a breach of confidentiality.
What is the Exploitability of CVE-2021-20228?
Exploitation of this vulnerability is of low complexity. It requires no authentication to the Ansible controller itself beyond perhaps normal user access, and no special privileges beyond being able to run or view the output of specific Ansible playbooks that utilize the vulnerable basic.py module with sub-options containing sensitive data. This is typically a local vulnerability or an insider threat scenario, where an attacker has access to the Ansible console output, logs, or execution environment. The crucial prerequisite is the use of Ansible Engine 2.9.18 and the specific usage pattern of basic.py sub-options with sensitive data. The likelihood of exploitation increases if Ansible playbooks are poorly secured, debug logging is excessively verbose, or if output is not properly redacted before being exposed to potentially untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-20228?
Available Upgrade Options
- ansible
- <2.8.19rc1 → Upgrade to 2.8.19rc1
- ansible
- >2.9.0a1, <2.9.18rc1 → Upgrade to 2.9.18rc1
- ansible
- <2.9.19 → Upgrade to 2.9.19
- ansible
- >2.10.0a1, <2.10.6rc1 → Upgrade to 2.10.6rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/pull/73494
- https://bugzilla.redhat.com/show_bug.cgi?id=1925002
- https://github.com/ansible/ansible/commit/e41d1f0a3fd6c466192e7e24accd3d1c6501111b
- https://github.com/advisories/GHSA-5rrg-rr89-x9mv
- https://www.debian.org/security/2021/dsa-4950
- https://bugzilla.redhat.com/show_bug.cgi?id=1925002
- https://github.com/ansible/ansible/pull/73487
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-1.yaml
- https://github.com/ansible/ansible/pull/73493
- https://osv.dev/vulnerability/GHSA-5rrg-rr89-x9mv
What are Similar Vulnerabilities to CVE-2021-20228?
Similar Vulnerabilities: CVE-2023-38031 , CVE-2023-28849 , CVE-2022-29930 , CVE-2022-24376 , CVE-2021-39213
