Bug 1180942 - (CVE-2021-20180) VUL-0: CVE-2021-20180: ansible,ansible1: bitbucket_pipeline_variable exposes sensitive values
(CVE-2021-20180)
VUL-0: CVE-2021-20180: ansible,ansible1: bitbucket_pipeline_variable exposes ...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/275388/
CVSSv3.1:SUSE:CVE-2021-20180:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-14 16:19 UTC by Gianluca Gabrielli
Modified: 2022-09-08 13:45 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-01-14 16:19:43 UTC
CVE-2021-20180

The bitbucket_pipeline module in Ansible-collection leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1915808
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20180
https://access.redhat.com/security/cve/CVE-2021-20180
Comment 2 Matej Cepl 2021-02-09 22:33:40 UTC
Waiting on release 2.9.18.
https://github.com/ansible/ansible/commits/stable-2.9
Comment 4 Gianluca Gabrielli 2021-05-20 13:50:36 UTC
Affected packages:

 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible
 - SUSE:SLE-11-SP3:Update:Teradata/ansible

Upstream patch: https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc.patch
Comment 6 Swamp Workflow Management 2021-06-22 16:19:17 UTC
SUSE-SU-2021:2121-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1180816,1180942,1181119,1181935,1183684
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.9.22-3.18.1
SUSE OpenStack Cloud 8 (src):    ansible-2.9.22-3.18.1
HPE Helion Openstack 8 (src):    ansible-2.9.22-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-03-16 20:19:09 UTC
openSUSE-SU-2022:0081-1: An update that solves 26 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1099808,1112959,1118896,1126503,1137528,1157968,1157969,1164133,1164134,1164135,1164136,1164137,1164138,1164139,1164140,1165393,1166389,1167440,1167532,1167873,1171162,1174145,1174302,1180816,1180942,1181119,1181935
CVE References: CVE-2018-10875,CVE-2018-16837,CVE-2019-10156,CVE-2019-14846,CVE-2019-14904,CVE-2019-14905,CVE-2020-10684,CVE-2020-10685,CVE-2020-10691,CVE-2020-10729,CVE-2020-14330,CVE-2020-14332,CVE-2020-1733,CVE-2020-1734,CVE-2020-1735,CVE-2020-1736,CVE-2020-1737,CVE-2020-1738,CVE-2020-1739,CVE-2020-1740,CVE-2020-1746,CVE-2020-1753,CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    ansible-2.9.21-bp153.2.3.1
Comment 10 Swamp Workflow Management 2022-09-08 13:45:55 UTC
SUSE-SU-2022:3178-1: An update that solves 7 vulnerabilities, contains three features and has 10 fixes is now available.

Category: security (important)
Bug References: 1176460,1180816,1180942,1181119,1181935,1183684,1187725,1188061,1193585,1197963,1199528,1200142,1200591,1200968,1200970,1201003,1202614
CVE References: CVE-2021-20178,CVE-2021-20180,CVE-2021-20191,CVE-2021-20228,CVE-2021-3447,CVE-2021-3583,CVE-2021-3620
JIRA References: SLE-23631,SLE-24133,SLE-24791
Sources used:
openSUSE Leap 15.4 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, wire-0.5.0-150000.1.6.1
openSUSE Leap 15.3 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1
SUSE Manager Tools 15 (src):    ansible-2.9.27-150000.1.14.1, dracut-saltboot-0.1.1657643023.0d694ce-150000.1.35.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, mgr-daemon-4.3.5-150000.1.35.1, mgr-virtualization-4.3.6-150000.1.32.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, spacecmd-4.3.14-150000.3.83.1, spacewalk-client-tools-4.3.11-150000.3.65.1, uyuni-common-libs-4.3.5-150000.1.24.1, uyuni-proxy-systemd-services-4.3.6-150000.1.6.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Server for SAP 15 (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Server 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    ansible-2.9.27-150000.1.14.1, golang-github-QubitProducts-exporter_exporter-0.4.0-150000.1.15.1, prometheus-blackbox_exporter-0.19.0-150000.1.11.1, python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.1 (src):    python-hwdata-2.3.5-150000.3.9.1, zypp-plugin-spacewalk-1.0.13-150000.3.32.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    golang-github-prometheus-node_exporter-1.3.0-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.