CVE-2021-3681
N/A
N/A
Summary
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the build_ignore list in "galaxy.yml" include files in the .tar.gz file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ansible or ansible-playbook verbose output without theno_log redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | ansible | ansible 3.3.0 | affected |
Weaknesses
- CWE-522: CWE-522->CWE-212
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.