// For flags

CVE-2021-3681

 

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Se ha encontrado un fallo en Ansible Galaxy Collections. Cuando las colecciones son construidas manualmente, cualquier archivo en el directorio del repositorio que no sea excluido explícitamente por medio de la lista "build_ignore" en "galaxy.yml" incluye archivos en el archivo ".tar.gz". Esto contiene información confidencial, como la clave de la API de Ansible Galaxy del usuario y cualquier secreto en la salida verbosa de "ansible" o "ansible-playbook" sin la redacción "no_log". Actualmente, no se presenta forma de eliminar una colección o una versión de la colección. Una vez publicada, cualquiera que descargue o instale la colección puede visualizar los secretos

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-03 CVE Reserved
  • 2022-04-18 CVE Published
  • 2023-11-09 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-522: Insufficiently Protected Credentials
CAPEC
References (2)
URL Tag Source
https://github.com/ansible/galaxy/issues/1977 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1989407 2023-11-07
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Ansible Automation Platform
Search vendor "Redhat" for product "Ansible Automation Platform"
 1.2
Search vendor "Redhat" for product "Ansible Automation Platform" and version "1.2"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Galaxy
Search vendor "Redhat" for product "Ansible Galaxy"
 3.3.0
Search vendor "Redhat" for product "Ansible Galaxy" and version "3.3.0"
-
Affected