{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in ansible 2.9.18"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-16T14:12:30", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-20180", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "Fixed in ansible 2.9.18"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:30:07.435Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-20180", "datePublished": "2022-03-16T14:12:30", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:30:07.435Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "720A73E8-481A-4C14-B06B-7E2D0C1FFAD1", "versionEndExcluding": "2.9.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality."}, {"lang": "es", "value": "Se ha encontrado un fallo en el m\u00f3dulo de ansible en el que las credenciales son divulgadas en el registro de la consola por defecto y no est\u00e1n protegidas por la funci\u00f3n de seguridad cuando es usado el m\u00f3dulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales de bitbucket_pipeline. La mayor amenaza de esta vulnerabilidad es la confidencialidad"}], "id": "CVE-2021-20180", "lastModified": "2022-03-22T15:43:20.557", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-16T15:15:09.927", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Abhijeet Kasurde (Red Hat).", "affected_release": [{"advisory": "RHSA-2021:1079", "cpe": "cpe:/a:redhat:ansible_automation_platform:1.2::el7", "package": "ansible-automation-platform/platform-resource-operator-bundle:v0.1.1-1", "product_name": "Red Hat Ansible Automation Platform 1.2 for RHEL 7", "release_date": "2021-04-09T00:00:00Z"}, {"advisory": "RHSA-2021:1079", "cpe": "cpe:/a:redhat:ansible_automation_platform:1.2::el7", "package": "ansible-automation-platform/platform-resource-rhel7-operator:v0.1.0-12", "product_name": "Red Hat Ansible Automation Platform 1.2 for RHEL 7", "release_date": "2021-04-09T00:00:00Z"}, {"advisory": "RHSA-2021:1079", "cpe": "cpe:/a:redhat:ansible_automation_platform:1.2::el7", "package": "ansible-automation-platform/platform-resource-runner-rhel7:v0.1.0-15", "product_name": "Red Hat Ansible Automation Platform 1.2 for RHEL 7", "release_date": "2021-04-09T00:00:00Z"}, {"advisory": "RHSA-2021:0664", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7", "package": "ansible-0:2.9.18-1.el7ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:0664", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8", "package": "ansible-0:2.9.18-1.el8ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:0663", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.9.18-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:0663", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.9.18-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2021-02-24T00:00:00Z"}, {"advisory": "RHSA-2021:2180", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "ansible-0:2.9.18-1.el8ae", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2021-06-01T00:00:00Z"}, {"advisory": "RHSA-2021:2180", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "package": "ansible-0:2.9.18-1.el8ae", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2021-06-01T00:00:00Z"}], "bugzilla": {"description": "module: bitbucket_pipeline_variable exposes secured values", "id": "1915808", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915808"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-532", "details": ["A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2021-20180", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2021-01-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20180\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20180"], "statement": "The version of Ansible provided in Red Hat Gluster Storage 3 does not contain the vulnerable bitbucket module and is not affected by this vulnerability. However, Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which includes bug and security fixes.", "threat_severity": "Moderate", "upstream_fix": "ansible 2.9.18"}