PT-2021-3601 · Red Hat+3 · Ansible Engine+3

Jborean93

·

Published

2021-03-12

·

Updated

2026-06-03

·

CVE-2021-20228

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Ansible Engine versions prior to 2.10.6rc1 Ansible Engine versions prior to 2.9.18rc1 Ansible Engine versions prior to 2.8.19rc1
Description A flaw was found in the Ansible Engine, where sensitive information is not masked by default and is not protected by the no log feature when using the sub-option feature of the basic.py module. This allows an attacker to obtain sensitive information, with the highest threat being to confidentiality.
Recommendations For Ansible Engine versions prior to 2.10.6rc1, update to version 2.10.6rc1 or later. For Ansible Engine versions prior to 2.9.18rc1, update to version 2.9.18rc1 or later. For Ansible Engine versions prior to 2.8.19rc1, update to version 2.8.19rc1 or later. As a temporary workaround, consider disabling the sub-option feature of the basic.py module until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Information Disclosure

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-522

Related Identifiers

ALT-PU-2021-1512
ALT-PU-2021-1533
AZL-6304
BDU:2021-03706
CVE-2021-20228
DSA-4950-1
GHSA-5RRG-RR89-X9MV
MGASA-2021-0131
MGASA-2021-0132
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2022_3178-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
OPENSUSE-SU-2026:10944-1
PYSEC-2021-1
RHSA-2021:0663
RHSA-2021:0664
RHSA-2021:2180
ROSA-SA-2024-2532
SUSE-SU-2021:2121-1
SUSE-SU-2022:3178-1
SUSE-SU-2024:0196-1

Affected Products

Alt Linux
Ansible Engine
Astra Linux
Suse