CVE-2021-3620

moderate-risk

Published 2022-03-03

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

Do I need to act?

0.29% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (10)

Ansible Automation Platform Early Access

Ansible Engine

Openstack

Virtualization

Virtualization For Ibm Power Little Endian

Virtualization Host

Virtualization Manager

Enterprise Linux

Enterprise Linux For Power Little Endian

Affected Vendors

Redhat

References (8)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1975767

Release Notes https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst...

Patch https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fa...

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1975767

Release Notes https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst...

Patch https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fa...

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate