—

PYSEC-2021-106

Details

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 0 Fixed in: 2.9.18

Fix pip install --upgrade 'ansible>=2.9.18'

References

https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#security-fixes, [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIU7QZUV73U6ZQ65VJWSFBTCALVXLH55/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUQ2QKAQA5OW2TY3ACZZMFIAJ2EQTG37/ [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=1914774 [REPORT]
https://github.com/ansible-collections/community.general/pull/1635, [WEB]
https://github.com/advisories/GHSA-wv5p-gmmv-wh9v [ADVISORY]