Published: 18/04/2022 Updated: 07/11/2023

CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9

CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8

VMScore: 187

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Subscribe to Ansible Automation Platform

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat ansible automation platform 1.2
redhat ansible galaxy 3.3.0

A security issue was found in Ansible Galaxy Collections When collections are built manually, any files in the repository directory that are not explicitly excluded via the build_ignore list in galaxyyml include files in the targz file This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ansible or ansible ...

CWE-522 https://bugzilla.redhat.com/show_bug.cgi?id=1989407 https://github.com/ansible/galaxy/issues/1977 https://nvd.nist.gov https://security.archlinux.org/CVE-2021-3681

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2021-3681

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect