CVE-2021-3681

Name of the Vulnerable Software and Affected Versions Ansible Galaxy Collections (affected versions not specified)

Description A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the build ignore list in "galaxy.yml" are included in the .tar.gz file. This contains sensitive information, such as the user's Ansible Galaxy API key and any secrets in ansible or ansible-playbook verbose output without the no log redaction. Currently, there is no way to deprecate a Collection or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.