CVE-2021-20191

MEDIUM

Oracle Virtualization < 2.8.19 - Log Information Exposure

Title source: rule

Description

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.

References (2)

Core 2

Core References

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Issue Tracking, Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1916813

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 6.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-532

Status published

Products (9)

oracle/virtualization 4.0

pypi/ansible 2.9.0a1 - 2.9.18rc1PyPI

redhat/ansible < 2.8.19

redhat/ansible_tower 3.0

redhat/cisco_nx-os_collection < 1.4.0

redhat/community_general_collection < 1.3.6

redhat/community_network_collection < 1.3.2

redhat/docker_community_collection < 1.2.2

redhat/google_cloud_platform_ansible_collection 1.0.2

Published May 26, 2021

Tracked Since Feb 18, 2026