Red Hat Ansible up to 2.8.15 ansible-connection information exposure

Summaryinfo

A vulnerability classified as problematic has been found in Red Hat Ansible. The impacted element is an unknown function of the component ansible-connection. This manipulation causes information exposure. The identification of this vulnerability is CVE-2021-3620. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Red Hat Ansible and classified as problematic. Affected by this vulnerability is some unknown processing of the component ansible-connection. The manipulation with an unknown input leads to a information exposure vulnerability. The CWE definition for the vulnerability is CWE-209. The product generates an error message that includes sensitive information about its environment, users, or associated data. As an impact it is known to affect confidentiality.

The weakness was shared 03/04/2022. It is possible to read the advisory at bugzilla.redhat.com. This vulnerability is known as CVE-2021-3620 since 06/24/2021. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 214484 (Debian dla-3695 : ansible - security update), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 2.9 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch fe28767970c8ec62aabe493c46b53a5de1e5fac0 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (214484). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Red Hat

Name

• Ansible

Version

• 1.0.5
• 1.2.1
• 1.6.6
• 1.9.2
• 1.9.6-1
• 2
• 2.0.1
• 2.0.2
• 2.0.2.0
• 2.0.4
• 2.1.4
• 2.2.0
• 2.2.1
• 2.3
• 2.3.1.0
• 2.3.3
• 2.4.0
• 2.4.0.0
• 2.4.1
• 2.4.5
• 2.5
• 2.5.4
• 2.5.5
• 2.5.14
• 2.5.15
• 2.6.0
• 2.6.1
• 2.6.2
• 2.6.3
• 2.6.4
• 2.6.5
• 2.6.6
• 2.6.7
• 2.6.8
• 2.6.9
• 2.6.10
• 2.6.11
• 2.6.12
• 2.6.13
• 2.6.14
• 2.6.15
• 2.6.16
• 2.6.17
• 2.6.18
• 2.6.20
• 2.7
• 2.7.0
• 2.7.1
• 2.7.2
• 2.7.3
• 2.7.4
• 2.7.5
• 2.7.6
• 2.7.7
• 2.7.8
• 2.7.9
• 2.7.10
• 2.7.11
• 2.7.12
• 2.7.13
• 2.7.14
• 2.7.15
• 2.7.16
• 2.7.17
• 2.8
• 2.8.0
• 2.8.1
• 2.8.2
• 2.8.3
• 2.8.4
• 2.8.5
• 2.8.6
• 2.8.7
• 2.8.8
• 2.8.9
• 2.8.10
• 2.8.15

License

• open-source

Website

• Vendor: https://www.redhat.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion