CVE-2021-3681

Published: Apr 18, 2022Modified: Nov 21, 2024

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Affected (2)

Products: Redhat: Ansible Automation Platform, Ansible Galaxy

2 products

Ansible Automation Platform

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Automation Platform	Version 1.2
Redhat Ansible Galaxy	Version 3.3.0

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (4)

https://bugzilla.redhat.com/show_bug.cgi?id=1989407

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://github.com/ansible/galaxy/issues/1977

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1989407

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://github.com/ansible/galaxy/issues/1977

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.