CVE-2021-3447
CVSS V2 Low 2.1
CVSS V3 Medium 5.5
Description
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.
Overview
- CVE ID
- CVE-2021-3447
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Analyzed
- Published Version
- 2021-04-01T18:15:13
- Last Modified Date
- 2021-06-03T13:47:16
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* | 1 | OR | 1.2.2 | |
| cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* | 1 | OR | 3.8.2 | |
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:L/AC:L/Au:N/C:P/I:N/A:N
- Access Vector
- LOCAL
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 2.1
- Severity
- LOW
- Exploitability Score
- 3.9
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- LOCAL
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 5.5
- Base Severity
- MEDIUM
- Exploitability Score
- 1.8
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1939349 | Issue Tracking Vendor Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RUTGO4RS4ZXZSPBU2CHVPT75IAFVTTL3/ | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MS4VPUYVLGSAKOX26IT52BSMEZRZ3KS/ | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG/ | Mailing List Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-3447 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3447 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 16:13:46 | Added to TrackCVE | |||
| 2022-12-06 00:50:55 | 2021-04-01T18:15Z | 2021-04-01T18:15:13 | CVE Published Date | updated |
| 2022-12-06 00:50:55 | 2021-06-03T13:47:16 | CVE Modified Date | updated | |
| 2022-12-06 00:50:55 | Analyzed | Vulnerability Status | updated |