CVE-2021-3681
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
Se ha encontrado un fallo en Ansible Galaxy Collections. Cuando las colecciones son construidas manualmente, cualquier archivo en el directorio del repositorio que no sea excluido explícitamente por medio de la lista "build_ignore" en "galaxy.yml" incluye archivos en el archivo ".tar.gz". Esto contiene información confidencial, como la clave de la API de Ansible Galaxy del usuario y cualquier secreto en la salida verbosa de "ansible" o "ansible-playbook" sin la redacción "no_log". Actualmente, no se presenta forma de eliminar una colección o una versión de la colección. Una vez publicada, cualquiera que descargue o instale la colección puede visualizar los secretos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-08-03 CVE Reserved
- 2022-04-18 CVE Published
- 2023-11-09 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/ansible/galaxy/issues/1977 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1989407 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform" | 1.2 Search vendor "Redhat" for product "Ansible Automation Platform" and version "1.2" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Ansible Galaxy Search vendor "Redhat" for product "Ansible Galaxy" | 3.3.0 Search vendor "Redhat" for product "Ansible Galaxy" and version "3.3.0" | - |
Affected
|