{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-11T00:00:00Z",
  "bugzilla" : {
    "description" : "ansible: user data leak in snmp_facts module",
    "id" : "1914774",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1914774"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-532",
  "details" : [ "A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in ansible. The 'authkey' and 'privkey' credentials are disclosed by default and not protected by no_log feature when using the snmp_facts module. Attackers could take advantage of this information to steal the SNMP credentials. The highest threat from this vulnerability is to data confidentiality." ],
  "statement" : "The version of ansible shipped with Red Hat Gluster Storage (RHGS) 3 includes the vulnerable snmp module. However, RHGS 3 no longer maintains its own version of Ansible, prerequisite is to enable ansible repository in order to consume the latest version of ansible which has many bug and security fixes.",
  "acknowledgement" : "This issue was discovered by Abhijeet Kasurde (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 1.2 for RHEL 7",
    "release_date" : "2021-04-09T00:00:00Z",
    "advisory" : "RHSA-2021:1079",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:1.2::el7",
    "package" : "ansible-automation-platform/platform-resource-operator-bundle:v0.1.1-1"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 1.2 for RHEL 7",
    "release_date" : "2021-04-09T00:00:00Z",
    "advisory" : "RHSA-2021:1079",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:1.2::el7",
    "package" : "ansible-automation-platform/platform-resource-rhel7-operator:v0.1.0-12"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 1.2 for RHEL 7",
    "release_date" : "2021-04-09T00:00:00Z",
    "advisory" : "RHSA-2021:1079",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:1.2::el7",
    "package" : "ansible-automation-platform/platform-resource-runner-rhel7:v0.1.0-15"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2021:0664",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7",
    "package" : "ansible-0:2.9.18-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2021:0664",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8",
    "package" : "ansible-0:2.9.18-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2021:0663",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.9.18-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 8",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2021:0663",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el8",
    "package" : "ansible-0:2.9.18-1.el8ae"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2021-06-01T00:00:00Z",
    "advisory" : "RHSA-2021:2180",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "ansible-0:2.9.18-1.el8ae"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.4",
    "release_date" : "2021-06-01T00:00:00Z",
    "advisory" : "RHSA-2021:2180",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8",
    "package" : "ansible-0:2.9.18-1.el8ae"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20178\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20178" ],
  "name" : "CVE-2021-20178",
  "csaw" : false
}