{"containers": {"cna": {"affected": [{"product": "ansible", "vendor": "n/a", "versions": [{"status": "affected", "version": "ansible 3.3.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in \"galaxy.yml\" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522->CWE-212", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-18T16:20:37", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989407"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible/galaxy/issues/1977"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.697Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989407"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible/galaxy/issues/1977"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3681", "datePublished": "2022-04-18T16:20:37", "dateReserved": "2021-08-03T00:00:00", "dateUpdated": "2024-08-03T17:01:07.697Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "CBA4F8F3-6FC3-4ADD-BB96-A707E94AB0AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_galaxy:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1690AEF3-1BBC-40FE-9B89-AD11691269B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in \"galaxy.yml\" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets."}, {"lang": "es", "value": "Se ha encontrado un fallo en Ansible Galaxy Collections. Cuando las colecciones son construidas manualmente, cualquier archivo en el directorio del repositorio que no sea excluido expl\u00edcitamente por medio de la lista \"build_ignore\" en \"galaxy.yml\" incluye archivos en el archivo \".tar.gz\". Esto contiene informaci\u00f3n confidencial, como la clave de la API de Ansible Galaxy del usuario y cualquier secreto en la salida verbosa de \"ansible\" o \"ansible-playbook\" sin la redacci\u00f3n \"no_log\". Actualmente, no se presenta forma de eliminar una colecci\u00f3n o una versi\u00f3n de la colecci\u00f3n. Una vez publicada, cualquiera que descargue o instale la colecci\u00f3n puede visualizar los secretos"}], "id": "CVE-2021-3681", "lastModified": "2023-11-07T03:38:12.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-18T17:15:15.507", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989407"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/galaxy/issues/1977"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "ansible: Secrets leakage vulnerability with ansible collections and ansible galaxy", "id": "1989407", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989407"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-522->CWE-212", "details": ["A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in \"galaxy.yml\" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.", "A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in \"galaxy.yml\" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2021-3681", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "Ansible", "product_name": "Red Hat Ansible Automation Platform 1.2"}], "public_date": "2021-08-04T07:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3681\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3681\nhttps://github.com/ansible/galaxy/issues/1977"], "threat_severity": "Important"}