{
  "threat_severity" : "Important",
  "public_date" : "2021-06-25T00:00:00Z",
  "bugzilla" : {
    "description" : "Ansible: ansible-connection module discloses sensitive info in traceback error message",
    "id" : "1975767",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-209",
  "details" : [ "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "Red Hat Gluster Storage 3 no longer maintains its own version of Ansible. The prerequisite is to enable the Ansible repository in order to consume the latest version of Ansible, which has many bug and security fixes.\nRed Hat Ceph Storage 2 only provides fixes for bugs on an as-requested basis by a customer, and will not be fixed after discussion with engineering about the viability of a fix. Red Hat Ceph Storage 3 does not directly ship ansible, and thus is closed as won't fix.\nRed Hat Virtualization ships an affected version of ansible, however, the usage of ansible on the redhat-virtualization-host is only supported for self-hosted-engine installation and disaster recovery, where it is run locally. As such Impact is rated Moderate.",
  "acknowledgement" : "Red Hat would like to thank Dalton Rardin for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.0 for RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3874",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.0::el8",
    "package" : "ansible-0:2.9.27-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.0 for RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3874",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.0::el8",
    "package" : "ansible-core-0:2.11.6-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3871",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7",
    "package" : "ansible-0:2.9.27-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3871",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8",
    "package" : "ansible-0:2.9.27-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3872",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.9.27-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3872",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el8",
    "package" : "ansible-0:2.9.27-1.el8ae"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4703",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "ansible-0:2.9.27-1.el8ae"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4703",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "ovirt-ansible-collection-0:1.6.5-1.el8ev"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-19T00:00:00Z",
    "advisory" : "RHSA-2021:4750",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "redhat-virtualization-host-0:4.4.9-202111172338_8.5",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4703",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "ovirt-ansible-collection-0:1.6.5-1.el8ev",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.4",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4703",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8",
    "package" : "ansible-0:2.9.27-1.el8ae"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.4",
    "release_date" : "2021-11-16T00:00:00Z",
    "advisory" : "RHSA-2021:4703",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8",
    "package" : "ovirt-ansible-collection-0:1.6.5-1.el8ev"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 1.2",
    "fix_state" : "Affected",
    "package_name" : "Ansible",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3620\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3620" ],
  "name" : "CVE-2021-3620",
  "csaw" : false
}