CVE-2021-3681

UNKNOWN

Published 2022-04-18T16:20:37

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-3681. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-wh68-r6p4-7cv3

Advisory Details

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-3681

WEB https://github.com/ansible/galaxy/issues/1977

WEB https://bugzilla.redhat.com/show_bug.cgi?id=1989407

Advisory provided by GitHub Security Advisory Database. Published: April 19, 2022, Modified: April 28, 2022

References

https://bugzilla.redhat.com/show_bug.cgi?id=1989407

https://github.com/ansible/galaxy/issues/1977

Published: 2022-04-18T16:20:37

Last Modified: 2024-08-03T17:01:07.697Z

Copied to clipboard!

CVE-2021-3681

Expert Analysis

Description

Available Exploits

Related News

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!