CVE-2021-3620

MEDIUM

Ansible < 2.9.27 - Sensitive Information Disclosure in Error Messages

Title source: llm

Description

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

References (4)

Core 4

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1975767

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes

View Writeup ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0

Mailing List

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Scores

CVSS v3 5.5

EPSS 0.0029

EPSS Percentile 52.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (11)

pypi/ansible 0 - 2.9.27PyPI

redhat/ansible_automation_platform_early_access 2.0

redhat/ansible_engine < 2.9.27

redhat/enterprise_linux 8.0

redhat/enterprise_linux_for_power_little_endian 8.0

redhat/openstack 1

redhat/openstack 16.1

redhat/virtualization 4.0

redhat/virtualization_for_ibm_power_little_endian 4.0

redhat/virtualization_host 4.0

... and 1 more

Published Mar 03, 2022

Tracked Since Feb 18, 2026