<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] ansible 2.9.10 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13484">13484</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] ansible 2.9.10 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2022-3697,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, m.novosyolov@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package ansible version 2.9.10
INFO (CVEs are): ansible 2.9.10 cves found
CVE-2021-20178
Desc: A flaw was found in ansible module where credentials are disclosed in the
console log by default and not protected by the security feature when using the
bitbucket_pipeline_variable module. This flaw allows an attacker to steal
bitbucket_pipeline credentials. The highest threat from this vulnerability is
to confidentiality.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-20178">https://nvd.nist.gov/vuln/detail/CVE-2021-20178</a>
Severity: MEDIUM
CVE-2021-20180
Desc: A flaw was found in ansible module where credentials are disclosed in the
console log by default and not protected by the security feature when using the
bitbucket_pipeline_variable module. This flaw allows an attacker to steal
bitbucket_pipeline credentials. The highest threat from this vulnerability is
to confidentiality.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-20180">https://nvd.nist.gov/vuln/detail/CVE-2021-20180</a>
Severity: MEDIUM
CVE-2021-20191
Desc: A flaw was found in ansible. Credentials, such as secrets, are being
disclosed in console log by default and not protected by no_log feature when
using those modules. An attacker can take advantage of this information to
steal those credentials. The highest threat from this vulnerability is to data
confidentiality. Versions before ansible 2.9.18 are affected.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-20191">https://nvd.nist.gov/vuln/detail/CVE-2021-20191</a>
Severity: MEDIUM
CVE-2022-3697
Desc: A flaw was found in Ansible in the amazon.aws collection when using the
tower_callback parameter from the amazon.aws.ec2_instance module. This flaw
allows an attacker to take advantage of this issue as the module is handling
the parameter insecurely, leading to the password leaking in the logs.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-3697">https://nvd.nist.gov/vuln/detail/CVE-2022-3697</a>
Severity: HIGH</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>