{"id":"MGASA-2021-0420","summary":"Updated ansible packages fix security vulnerability","details":"A flaw was found in several ansible modules, where parameters containing\ncredentials, such as secrets, were being logged in plain-text on managed\nnodes, as well as being made visible on the controller node when run in\nverbose mode.\n\nThese parameters were not protected by the no_log feature. An attacker can\ntake advantage of this information to steal those credentials, provided\nwhen they have access to the log files containing them. The highest threat\nfrom this vulnerability is to data confidentiality. This flaw affects Red\nHat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower\nin versions before 3.8.2 (CVE-2021-3447).\n\nA flaw was found in Ansible, where a user's controller is vulnerable to\ntemplate injection. This issue can occur through facts used in the template\nif the user is trying to put templates in multi-line YAML strings and the\nfacts being handled do not routinely include special template characters.\nThis flaw allows attackers to perform command injection, which discloses\nsensitive information. The highest threat from this vulnerability is to\nconfidentiality and integrity (CVE-2021-3583).\n","modified":"2026-04-16T04:41:54.316244804Z","published":"2021-09-23T04:49:29Z","upstream":["CVE-2021-3447","CVE-2021-3583"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0420.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28832"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2021:1342"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2021:2664"},{"type":"WEB","url":"https://github.com/ansible/ansible/blob/v2.9.24/changelogs/CHANGELOG-v2.9.rst"}],"affected":[{"package":{"name":"ansible","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/ansible?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.9.24-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0420.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}