Bug 1181119 (CVE-2021-20191) - VUL-0: CVE-2021-20191: ansible1,ansible: multiple collections exposes secured values
Summary: VUL-0: CVE-2021-20191: ansible1,ansible: multiple collections exposes secured...
Status: RESOLVED FIXED
Alias: CVE-2021-20191
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/275654/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-20191:5.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-01-19 14:01 UTC by Robert Frohl
Modified: 2024-05-16 13:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-01-19 14:01:14 UTC 
rh#1916813

A few different modules in Ansible-collection leaks sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1916813
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20191
https://access.redhat.com/security/cve/CVE-2021-20191
https://github.com/ansible-collections/cisco.nxos/pull/227
Comment 1 Robert Frohl 2021-01-19 14:02:28 UTC 
tracking as affected:
- SUSE:SLE-11-SP3:Update:Teradata/ansible
- SUSE:SLE-12-SP2:Update:Products:Cloud7:Update/ansible
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible
Comment 2 Matej Cepl 2021-02-09 22:34:03 UTC 
Waiting on release 2.9.18.
https://github.com/ansible/ansible/commits/stable-2.9
Comment 5 Swamp Workflow Management 2021-06-22 16:19:23 UTC 
SUSE-SU-2021:2121-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1180816,1180942,1181119,1181935,1183684
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.22-3.18.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.22-3.18.1
HPE Helion Openstack 8 (src):    ansible-2.9.22-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-03-16 20:19:14 UTC 
openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    ansible-2.9.21-bp153.2.3.1
Comment 9 Swamp Workflow Management 2022-09-08 13:45:59 UTC 
SUSE-SU-2022:3178-1: An update that solves 7 vulnerabilities, contains three features and has 10 fixes is now available.

Category: security (important)
Bug References: 1176460,1180816,1180942,1181119,1181935,1183684,1187725,1188061,1193585,1197963,1199528,1200142,1200591,1200968,1200970,1201003,1202614
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447,CVE-2021-3583,CVE-2021-3620
JIRA References: SLE-23631,SLE-24133,SLE-24791
Sources used:
openSUSE Leap 15.4 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, wire-0.5.0-150000.1.6.1
openSUSE Leap 15.3 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1
SUSE Manager Tools 15 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, mgr-daemon-4.3.5-150000.1.35.1, mgr-virtualization-4.3.6-150000.1.32.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, spacewalk-client-tools-4.3.11-150000.3.65.1, uyuni-common-libs-4.3.5-150000.1.24.1, uyuni-proxy-systemd-services-4.3.6-150000.1.6.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Server for SAP 15 (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-01-23 20:30:09 UTC 
SUSE-SU-2024:0196-1: An update that solves 44 vulnerabilities, contains 14 features and has 35 security fixes can now be installed.

Category: security (moderate)
Bug References: 1172110, 1176460, 1180816, 1180942, 1181119, 1181935, 1183684, 1187725, 1188061, 1188571, 1189520, 1191454, 1192154, 1192383, 1192696, 1192763, 1193492, 1193686, 1193688, 1197507, 1198903, 1199810, 1200142, 1200480, 1200591, 1200968, 1200970, 1201003, 1201059, 1201535, 1201539, 1202614, 1202945, 1203283, 1203596, 1203597, 1203599, 1204032, 1204126, 1204302, 1204303, 1204304, 1204305, 1204501, 1205207, 1205225, 1205227, 1205599, 1205759, 1207352, 1207749, 1207750, 1207830, 1208046, 1208049, 1208060, 1208062, 1208065, 1208270, 1208293, 1208298, 1208612, 1208692, 1208719, 1208819, 1208821, 1208965, 1209113, 1209645, 1210458, 1210640, 1210907, 1211525, 1212099, 1212100, 1212279, 1212641, 1218843, 1218844
CVE References: CVE-2020-7753, CVE-2021-20178, CVE-2021-20180, CVE-2021-20191, CVE-2021-20228, CVE-2021-3447, CVE-2021-3583, CVE-2021-3620, CVE-2021-36222, CVE-2021-3711, CVE-2021-3807, CVE-2021-3918, CVE-2021-41174, CVE-2021-41244, CVE-2021-43138, CVE-2021-43798, CVE-2021-43813, CVE-2021-43815, CVE-2022-0155, CVE-2022-23552, CVE-2022-27664, CVE-2022-29170, CVE-2022-31097, CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-32149, CVE-2022-35957, CVE-2022-36062, CVE-2022-39201, CVE-2022-39229, CVE-2022-39306, CVE-2022-39307, CVE-2022-39324, CVE-2022-41715, CVE-2022-41723, CVE-2022-46146, CVE-2023-0507, CVE-2023-0594, CVE-2023-1387, CVE-2023-1410, CVE-2023-2183, CVE-2023-2801, CVE-2023-3128
Jira References: MSQA-718, PED-2145, PED-2617, PED-3576, PED-3694, PED-4556, PED-5405, PED-5406, SLE-23422, SLE-23439, SLE-23631, SLE-24133, SLE-24565, SLE-24791
Sources used:
SUSE Manager Client Tools Beta for SLE Micro 5 (src): golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1
SUSE Manager Client Tools Beta for SLE 15 (src): python-pyvmomi-6.7.3-159000.3.6.1, golang-github-QubitProducts-exporter_exporter-0.4.0-159000.4.6.1, supportutils-plugin-salt-1.2.2-159000.5.9.1, uyuni-proxy-systemd-services-5.0.1-159000.3.9.1, mgr-push-5.0.1-159000.4.21.1, golang-github-lusitaniae-apache_exporter-1.0.0-159000.4.12.1, rhnlib-5.0.1-159000.6.30.1, golang-github-prometheus-prometheus-2.45.0-159000.6.33.1, spacewalk-client-tools-5.0.1-159000.6.48.1, uyuni-common-libs-5.0.1-159000.3.33.1, dracut-saltboot-0.1.1681904360.84ef141-159000.3.30.1, golang-github-boynux-squid_exporter-1.6-159000.4.9.1, ansible-2.9.27-159000.3.9.1, prometheus-postgres_exporter-0.10.1-159000.3.6.1, grafana-9.5.8-159000.4.24.1, spacecmd-5.0.1-159000.6.42.1, python-hwdata-2.3.5-159000.5.13.1, prometheus-blackbox_exporter-0.24.0-159000.3.6.1, supportutils-plugin-susemanager-client-5.0.1-159000.6.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.