CVE-2021-3620
Information Disclosure vulnerability in ansible (PyPI)
What is CVE-2021-3620 About?
This information disclosure vulnerability in Ansible Engine's ansible-connection module exposes sensitive user credentials. The flaw occurs when an unexpected response triggers a traceback error message, containing the plain-text credentials. This vulnerability is moderately easy to exploit as it relies on triggering specific error conditions during connection attempts.
Affected Software
Technical Details
The vulnerability resides in the ansible-connection module of Ansible Engine. When the set_options function receives an unexpected response, it triggers a traceback error message. This traceback message, by default, includes sensitive information, specifically the Ansible user credentials, in cleartext. This means that if an attacker can provoke an unexpected response during a connection attempt managed by the vulnerable ansible-connection module, the resulting error output will disclose authentication details, compromising confidentiality.
What is the Impact of CVE-2021-3620?
Successful exploitation may allow attackers to disclose sensitive information, specifically user credentials, leading to unauthorized access, privilege escalation, or further compromise of the system.
What is the Exploitability of CVE-2021-3620?
Exploiting this vulnerability generally requires an attacker to induce an error condition during an Ansible connection attempt, potentially through malformed requests or unexpected responses from the target. Authentication to interact with the Ansible system might be a prerequisite, although the vulnerability itself discloses credentials. The access needed could be local, or remote if the error messages are transmitted or available to the attacker. The complexity is moderate, as it involves understanding how to trigger the specific error. Greater likelihood of exploitation occurs in environments where error logging is not adequately secured or where attackers can easily observe system responses.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3620?
Available Upgrade Options
- ansible
- <2.9.27 → Upgrade to 2.9.27
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4r65-35qq-ch8j
- https://github.com/ansible/ansible
- https://github.com/advisories/GHSA-4r65-35qq-ch8j
- https://access.redhat.com/errata/RHSA-2021:3871
- https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0
- https://access.redhat.com/security/cve/CVE-2021-3620
- https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://access.redhat.com/errata/RHSA-2021:3872
- https://bugzilla.redhat.com/show_bug.cgi?id=1975767
What are Similar Vulnerabilities to CVE-2021-3620?
Similar Vulnerabilities: CVE-2020-1753 , CVE-2019-14846 , CVE-2020-14330 , CVE-2020-1733
