CVE-2021-3620

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1975767	Issue Tracking Patch Third Party Advisory
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes	Release Notes Third Party Advisory
https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible_automation_platform_early_access:2.0:::::::*
	cpe:2.3:a:redhat:ansible_engine::::::::
	cpe:2.3:a:redhat:openstack:1:::::::*
	cpe:2.3:a:redhat:openstack:16.1:::::::*
	cpe:2.3:a:redhat:virtualization:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_for_ibm_power_little_endian:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_host:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_manager:4.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*

History

No history.

Information

Published : 2022-03-03 19:15

Updated : 2023-12-28 19:15

NVD link : CVE-2021-3620

Mitre link : CVE-2021-3620

CVE.ORG link : CVE-2021-3620

JSON object : View

Products Affected

redhat

virtualization_host
ansible_automation_platform_early_access
ansible_engine
virtualization
virtualization_for_ibm_power_little_endian
virtualization_manager
openstack
enterprise_linux
enterprise_linux_for_power_little_endian

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2021-3620", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-03-03T19:15:08.237", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes", "tags": ["Release Notes", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-209"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality."}, {"lang": "es", "value": "Se ha encontrado un fallo en el m\u00f3dulo ansible-connection de Ansible Engine, en el que informaci\u00f3n confidencial, como las credenciales de usuario de Ansible, es revelado por defecto en el mensaje de error de rastreo. La mayor amenaza de esta vulnerabilidad es la confidencialidad"}], "lastModified": "2023-12-28T19:15:13.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform_early_access:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3871C74-20C4-4212-AEF1-D792637A92B8"}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19A338B7-0C96-497E-AF9C-EA78F143CCBE", "versionEndExcluding": "2.9.27"}, {"criteria": "cpe:2.3:a:redhat:openstack:1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B7FF772-FC99-435A-8D6F-6999656B9593"}, {"criteria": "cpe:2.3:a:redhat:openstack:16.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C9D3F4FF-AD3D-4D17-93E8-84CAFCED2F59"}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6"}, {"criteria": "cpe:2.3:a:redhat:virtualization_for_ibm_power_little_endian:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDE26BBE-BD17-43B4-9C3F-B009F5AD0396"}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503"}, {"criteria": "cpe:2.3:a:redhat:virtualization_manager:4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0E1B0D8-7067-4FE7-A309-917AE4D59E7E"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}