CVE-2021-3620

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1975767	Issue Tracking Patch Third Party Advisory
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes	Release Notes Third Party Advisory
https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible_automation_platform_early_access:2.0:::::::*
	cpe:2.3:a:redhat:ansible_engine::::::::
	cpe:2.3:a:redhat:openstack:1:::::::*
	cpe:2.3:a:redhat:openstack:16.1:::::::*
	cpe:2.3:a:redhat:virtualization:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_for_ibm_power_little_endian:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_host:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_manager:4.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*

History

28 Dec 2023, 19:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html -

12 Feb 2023, 23:41

Type	Values Removed	Values Added
References	~~{'url': 'https://access.redhat.com/security/cve/CVE-2021-3620', 'name': 'https://access.redhat.com/security/cve/CVE-2021-3620', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2021:3874', 'name': 'https://access.redhat.com/errata/RHSA-2021:3874', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2021:3872', 'name': 'https://access.redhat.com/errata/RHSA-2021:3872', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2021:3871', 'name': 'https://access.redhat.com/errata/RHSA-2021:3871', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2021:4703', 'name': 'https://access.redhat.com/errata/RHSA-2021:4703', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2021:4750', 'name': 'https://access.redhat.com/errata/RHSA-2021:4750', 'tags': [], 'refsource': 'MISC'}~~

02 Feb 2023, 21:21

Type	Values Removed	Values Added
References		(MISC) https://access.redhat.com/security/cve/CVE-2021-3620 - (MISC) https://access.redhat.com/errata/RHSA-2021:3874 - (MISC) https://access.redhat.com/errata/RHSA-2021:3872 - (MISC) https://access.redhat.com/errata/RHSA-2021:3871 - (MISC) https://access.redhat.com/errata/RHSA-2021:4703 - (MISC) https://access.redhat.com/errata/RHSA-2021:4750 -

15 Mar 2022, 12:41

Type	Values Removed	Values Added
First Time		Redhat enterprise Linux For Power Little Endian Redhat virtualization Manager Redhat virtualization Host Redhat virtualization Redhat ansible Automation Platform Early Access Redhat ansible Engine Redhat virtualization For Ibm Power Little Endian Redhat enterprise Linux Redhat openstack Redhat
CWE		CWE-209
References	~~(MISC) https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0 -~~	(MISC) https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0 - Patch, Third Party Advisory
References	~~(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1975767 -~~	(MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1975767 - Issue Tracking, Patch, Third Party Advisory
References	~~(MISC) https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes -~~	(MISC) https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes - Release Notes, Third Party Advisory
CPE		cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::* cpe:2.3:a:redhat:ansible_engine:::::::: cpe:2.3:a:redhat:openstack:16.1:::::::* cpe:2.3:a:redhat:virtualization_manager:4.4:::::::* cpe:2.3:a:redhat:openstack:1:::::::* cpe:2.3:a:redhat:virtualization_host:4.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:a:redhat:virtualization_for_ibm_power_little_endian:4.0:::::::* cpe:2.3:a:redhat:virtualization:4.0:::::::* cpe:2.3:a:redhat:ansible_automation_platform_early_access:2.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 5.5

03 Mar 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-03 19:15

Updated : 2023-12-28 19:15

NVD link : CVE-2021-3620

Mitre link : CVE-2021-3620

CVE.ORG link : CVE-2021-3620

JSON object : View

Products Affected

redhat

enterprise_linux
enterprise_linux_for_power_little_endian
ansible_engine
ansible_automation_platform_early_access
openstack
virtualization_for_ibm_power_little_endian
virtualization_manager
virtualization_host
virtualization

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

5.5 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1 /10

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-3620

5.5^/10

2.1^/10

Attach tags to `CVE-2021-3620`