[Bugs] [Bug 13484] New: [CVE 21] ansible 2.9.10 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 15:17:40 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13484

          Platform: 2021.1
            Bug ID: 13484
           Summary: [CVE 21] ansible 2.9.10 CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-20178, CVE-2021-20180, CVE-2021-20191,
                    CVE-2022-3697,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, m.novosyolov на rosalinux.ru,
                    s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package ansible version 2.9.10  
INFO (CVEs are): ansible 2.9.10 cves found
CVE-2021-20178
Desc: A flaw was found in ansible module where credentials are disclosed in the
console log by default and not protected by the security feature when using the
bitbucket_pipeline_variable module. This flaw allows an attacker to steal
bitbucket_pipeline credentials. The highest threat from this vulnerability is
to confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20178
Severity: MEDIUM
CVE-2021-20180
Desc: A flaw was found in ansible module where credentials are disclosed in the
console log by default and not protected by the security feature when using the
bitbucket_pipeline_variable module. This flaw allows an attacker to steal
bitbucket_pipeline credentials. The highest threat from this vulnerability is
to confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20180
Severity: MEDIUM
CVE-2021-20191
Desc: A flaw was found in ansible. Credentials, such as secrets, are being
disclosed in console log by default and not protected by no_log feature when
using those modules. An attacker can take advantage of this information to
steal those credentials. The highest threat from this vulnerability is to data
confidentiality. Versions before ansible 2.9.18 are affected.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20191
Severity: MEDIUM
CVE-2022-3697
Desc: A flaw was found in Ansible in the amazon.aws collection when using the
tower_callback parameter from the amazon.aws.ec2_instance module. This flaw
allows an attacker to take advantage of this issue as the module is handling
the parameter insecurely, leading to the password leaking in the logs.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-3697
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/d8740ce3/attachment-0001.html>

Подробная информация о списке рассылки Bugs