CVE-2021-3681 - OpenCVE

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Ansible Automation Platform Ansible Galaxy

Configuration 1 [-]

OR	cpe:2.3:a:redhat:ansible_automation_platform:1.2:::::::*
	cpe:2.3:a:redhat:ansible_galaxy:3.3.0:::::::*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1989407	Issue Tracking Vendor Advisory
https://github.com/ansible/galaxy/issues/1977	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-04-18T16:20:37

Updated: 2022-04-18T16:20:37

Reserved: 2021-08-03T00:00:00

Link: CVE-2021-3681

JSON object: View

NVD Information

Status : Modified

Published: 2022-04-18T17:15:15.507

Modified: 2023-11-07T03:38:12.500

Link: CVE-2021-3681

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "CBA4F8F3-6FC3-4ADD-BB96-A707E94AB0AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_galaxy:3.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "1690AEF3-1BBC-40FE-9B89-AD11691269B7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in \"galaxy.yml\" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets."}, {"lang": "es", "value": "Se ha encontrado un fallo en Ansible Galaxy Collections. Cuando las colecciones son construidas manualmente, cualquier archivo en el directorio del repositorio que no sea excluido expl\u00edcitamente por medio de la lista \"build_ignore\" en \"galaxy.yml\" incluye archivos en el archivo \".tar.gz\". Esto contiene informaci\u00f3n confidencial, como la clave de la API de Ansible Galaxy del usuario y cualquier secreto en la salida verbosa de \"ansible\" o \"ansible-playbook\" sin la redacci\u00f3n \"no_log\". Actualmente, no se presenta forma de eliminar una colecci\u00f3n o una versi\u00f3n de la colecci\u00f3n. Una vez publicada, cualquiera que descargue o instale la colecci\u00f3n puede visualizar los secretos"}], "id": "CVE-2021-3681", "lastModified": "2023-11-07T03:38:12.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-18T17:15:15.507", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1989407"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/galaxy/issues/1977"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "secalert@redhat.com", "type": "Secondary"}]}