VYPR
← All advisories
High severityNVD Advisory· Published May 26, 2021· Updated Aug 3, 2024

CVE-2021-20178

CVE-2021-20178

Description

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible's bitbucket_pipeline_variable module discloses credentials in console logs, allowing attackers to steal Bitbucket pipeline secrets.

Vulnerability

Description

CVE-2021-20178 is a flaw in the Ansible bitbucket_pipeline_variable module where credentials are disclosed in console logs by default. The module fails to mask secured values when logging, exposing sensitive information such as Bitbucket pipeline secrets to anyone with access to the log output [1]. This oversight bypasses the intended security feature that should protect such credentials.

Attack

Surface and Exploitation

The vulnerability can be exploited by an attacker who gains access to the console log output of an Ansible playbook execution that uses the bitbucket_pipeline_variable module. No special privileges are required beyond the ability to read the log files [2]. The attack vector is local to the system executing the playbook or through any channel where logs are exposed (e.g., centralized logging systems).

Impact

An attacker can steal bitbucket_pipeline credentials, leading to unauthorized access to Bitbucket pipeline resources. The primary threat is to confidentiality, as the exposed credentials can be used to compromise continuous integration workflows and source code repositories [3].

Mitigation

A fix was merged in pull request #1635 of the community.general collection, which hides secured values in the console log for this module [1]. Users should update to a patched version of the collection (e.g., version 2.9.18 or later) to mitigate the risk. No workaround is available besides applying the patch.

References
  1. bitbucket_pipeline_variable: Hide secured values in console log by Akasurde · Pull Request #1635 · ansible-collections/community.general
  2. NVD - CVE-2021-20178
  3. CVE-2021-20178 - GitHub Advisory Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansiblePyPI
< 2.9.182.9.18

Affected products

74

Patches

1
1d0c5e2ba477

bitbucket_pipeline_variable: Hide secured values in console log (#1635)

https://github.com/ansible-collections/community.generalAbhijeet KasurdeJan 14, 2021via ghsa
commit
2 files changed · +12 2
  • changelogs/fragments/cve_bitbucket_pipeline_variable.yml+2 0 added
    @@ -0,0 +1,2 @@
+security_fixes:
+- 'bitbucket_pipeline_variable - **CVE-2021-20180** - hide user sensitive information which are marked as ``secured`` from logging into the console (https://github.com/ansible-collections/community.general/pull/1635).'
  • plugins/modules/source_control/bitbucket/bitbucket_pipeline_variable.py+10 2 modified
    @@ -85,7 +85,7 @@
 
 RETURN = r''' # '''
 
-from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.basic import AnsibleModule, _load_params
 from ansible_collections.community.general.plugins.module_utils.source_control.bitbucket import BitbucketHelper
 
 error_messages = {
@@ -211,6 +211,14 @@ def delete_pipeline_variable(module, bitbucket, variable_uuid):
         ))
 
 
+class BitBucketPipelineVariable(AnsibleModule):
+    def __init__(self, *args, **kwargs):
+        params = _load_params() or {}
+        if params.get('secured'):
+            kwargs['argument_spec']['value'].update({'no_log': True})
+        super(BitBucketPipelineVariable, self).__init__(*args, **kwargs)
+
+
 def main():
     argument_spec = BitbucketHelper.bitbucket_argument_spec()
     argument_spec.update(
@@ -221,7 +229,7 @@ def main():
         secured=dict(type='bool', default=False),
         state=dict(type='str', choices=['present', 'absent'], required=True),
     )
-    module = AnsibleModule(
+    module = BitBucketPipelineVariable(
         argument_spec=argument_spec,
         supports_check_mode=True,
     )

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.