Miggo Logo

CVE-2021-20228: Ansible Exposes Sensitive Information

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.30871%
Published
5/25/2022
Updated
9/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 2.10.0a1, < 2.10.6rc12.10.6rc1
ansiblepip>= 2.9.0a1, < 2.9.18rc12.9.18rc1
ansiblepip< 2.8.19rc12.8.19rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from 2 key functions in basic.py:

  1. _set_defaults: Pre-patch code didn't check if parameters had 'no_log=True' when setting defaults, leaving sensitive default values unmasked
  2. _set_fallbacks: Pre-patch implementation didn't capture fallback return values (like from env_fallback) to mask them via no_log_values

The commit diff shows these functions were modified to add no_log checks and mask values. The added tests specifically validate that default/fallback values for no_log parameters are masked, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in t** *nsi*l* *n*in* prior to *.**.*r**, *.*.**r**, *n* *.*.**r**, w**r* s*nsitiv* in*o is not m*sk** *y ****ult *n* is not prot**t** *y t** `no_lo*` ***tur* w**n usin* t** su*-option ***tur* o* t** **si*.py mo*ul*. T*is *l*w *llows

Reasoning

T** vuln*r**ility st*ms *rom * k*y *un*tions in **si*.py: *. _s*t_****ults: Pr*-p*t** *o** *i*n't ****k i* p*r*m*t*rs *** 'no_lo*=Tru*' w**n s*ttin* ****ults, l**vin* s*nsitiv* ****ult v*lu*s unm*sk** *. _s*t_**ll***ks: Pr*-p*t** impl*m*nt*tion *i*n'