{"containers": {"cna": {"affected": [{"product": "ansible", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in Ansible Engine v2.9.27"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 - Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2023-12-28T19:06:30.310Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.670Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:09:25.955830Z", "id": "CVE-2021-3620", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:13:51.591Z"}}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-3620", "datePublished": "2022-03-03T18:23:38.000Z", "dateReserved": "2021-06-24T00:00:00.000Z", "dateUpdated": "2025-02-13T16:28:25.255Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.670Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-3620", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T17:09:25.955830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T17:11:00.579Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "ansible", "versions": [{"status": "affected", "version": "Fixed in Ansible Engine v2.9.27"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0", "tags": ["x_refsource_MISC"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 - Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-03-03T18:23:38"}}}, "cveMetadata": {"cveId": "CVE-2021-3620", "state": "PUBLISHED", "dateUpdated": "2024-10-15T17:13:51.591Z", "dateReserved": "2021-06-24T00:00:00", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2022-03-03T18:23:38", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform_early_access:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E3871C74-20C4-4212-AEF1-D792637A92B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "19A338B7-0C96-497E-AF9C-EA78F143CCBE", "versionEndExcluding": "2.9.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:1:*:*:*:*:*:*:*", "matchCriteriaId": "4B7FF772-FC99-435A-8D6F-6999656B9593", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:16.1:*:*:*:*:*:*:*", "matchCriteriaId": "C9D3F4FF-AD3D-4D17-93E8-84CAFCED2F59", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_for_ibm_power_little_endian:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "FDE26BBE-BD17-43B4-9C3F-B009F5AD0396", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_manager:4.4:*:*:*:*:*:*:*", "matchCriteriaId": "E0E1B0D8-7067-4FE7-A309-917AE4D59E7E", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "47811209-5CE5-4375-8391-B0A7F6A0E420", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality."}, {"lang": "es", "value": "Se ha encontrado un fallo en el m\u00f3dulo ansible-connection de Ansible Engine, en el que informaci\u00f3n confidencial, como las credenciales de usuario de Ansible, es revelado por defecto en el mensaje de error de rastreo. La mayor amenaza de esta vulnerabilidad es la confidencialidad"}], "id": "CVE-2021-3620", "lastModified": "2024-11-21T06:22:00.013", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-03T19:15:08.237", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Dalton Rardin for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:3874", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.0::el8", "package": "ansible-0:2.9.27-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.0 for RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3874", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.0::el8", "package": "ansible-core-0:2.11.6-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.0 for RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3871", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7", "package": "ansible-0:2.9.27-1.el7ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3871", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8", "package": "ansible-0:2.9.27-1.el8ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3872", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.9.27-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:3872", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.9.27-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2021-10-14T00:00:00Z"}, {"advisory": "RHSA-2021:4703", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "ansible-0:2.9.27-1.el8ae", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4703", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "ovirt-ansible-collection-0:1.6.5-1.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4750", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "impact": "moderate", "package": "redhat-virtualization-host-0:4.4.9-202111172338_8.5", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2021-11-19T00:00:00Z"}, {"advisory": "RHSA-2021:4703", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "impact": "moderate", "package": "ovirt-ansible-collection-0:1.6.5-1.el8ev", "product_name": "Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4703", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "package": "ansible-0:2.9.27-1.el8ae", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2021-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:4703", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "package": "ovirt-ansible-collection-0:1.6.5-1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2021-11-16T00:00:00Z"}], "bugzilla": {"description": "Ansible: ansible-connection module discloses sensitive info in traceback error message", "id": "1975767", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2021-3620", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "Ansible", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2021-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3620\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3620"], "statement": "Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which has many bug and security fixes.\nRed Hat Ceph Storage 2 only provides fixes for bugs on an as-requested basis by a customer, and will not be fixed after discussion with engineering about the viability of a fix. Red Hat Ceph Storage 3 does not directly ship ansible, and thus is closed as won't fix.\nRed Hat Virtualization ships an affected version of ansible, however, the usage of ansible on the redhat-virtualization-host is only supported for self-hosted-engine installation and disaster recovery, where it is run locally. As such Impact is rated Moderate.", "threat_severity": "Important"}