PT-2021-8096 · Ansible+3 · Ansible+4

Borja Tarraso

·

Published

2021-01-17

·

Updated

2025-11-21

·

CVE-2021-20191

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Ansible versions prior to 2.9.18
Description A flaw was found in Ansible where credentials, such as secrets, are disclosed in the console log by default and not protected by the no log feature when using certain modules. This allows an attacker to steal those credentials, posing the highest threat to data confidentiality.
Recommendations For versions prior to 2.9.18, update to version 2.9.18 or later to resolve the issue. As a temporary workaround, consider disabling the use of modules that disclose credentials in the console log until a patch is available. Restrict access to the console log to minimize the risk of exploitation. Avoid using sensitive credentials in modules that are not protected by the no log feature until the issue is resolved.

Fix

Insertion into Log File

Weakness Enumeration

CWE-532

Related Identifiers

ALT-PU-2021-1383
ALT-PU-2021-1395
ALT-PU-2021-1800
BDU:2024-06980
CVE-2021-20191
DLA-3695-1
DLA-3695-2
GHSA-8F4M-HCCC-8QPH
MGASA-2021-0131
MGASA-2021-0132
OESA-2021-1349
OESA-2022-1950
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2022_3178-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
PYSEC-2021-124
RHSA-2021:0663
RHSA-2021:0664
RHSA-2021:2180
ROSA-SA-2024-2334
ROSA-SA-2024-2532
SUSE-SU-2021:2121-1
SUSE-SU-2022:3178-1
SUSE-SU-2024:0196-1

Affected Products

Alt Linux
Ansible
Ansible-Core
Astra Linux
Suse