PT-2021-8091 · Unknown+6 · Ansible Engine+6

Dalrrard

·

Published

2021-06-24

·

Updated

2025-05-04

·

CVE-2021-3620

CVSS v4.0

6.8

Medium

VectorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Ansible Engine versions prior to 2.8.15
Description A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
Recommendations For versions prior to 2.8.15, update to a version that contains a fix for this issue, such as version 2.8.16 or later, to prevent sensitive information disclosure. As a temporary workaround, consider disabling the ansible-connection module until a patch is available. Restrict access to the set options function to minimize the risk of exploitation. Avoid using the set options function in the affected ansible-connection module until the issue is resolved.

Fix

DoS

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-209

Related Identifiers

ALT-PU-2022-1046
ALT-PU-2022-1098
ALT-PU-2022-1153
BDU:2024-06959
CVE-2021-3620
DLA-3695-1
DLA-3695-2
GHSA-4R65-35QQ-CH8J
MGASA-2021-0487
OPENSUSE-SU-2022_3178-1
OPENSUSE-SU-2024:12302-1
PYSEC-2022-164
RHSA-2021:3871
RHSA-2021:3872
RHSA-2021:3874
RHSA-2021:4703
RHSA-2021:4750
SUSE-SU-2021:4152-1
SUSE-SU-2022:3178-1
SUSE-SU-2024:0196-1
USN-5315-1

Affected Products

Alt Linux
Ansible Engine
Astra Linux
Linuxmint
Red Os
Suse
Ubuntu