VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 16, 2022· Updated Aug 3, 2024

CVE-2021-20180

CVE-2021-20180

Description

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible's bitbucket_pipeline_variable module logs credentials in plaintext, allowing attackers with console access to steal CI/CD secrets.

Vulnerability

The bitbucket_pipeline_variable module in Ansible before version 2.8.19 discloses Bitbucket Pipeline credentials (e.g., username, password, or OAuth tokens) in plaintext within the console log output [1][3]. The module fails to obscure or mask sensitive parameter values during the module's default execution, contrary to Ansible's security best practices for handling secrets. This affects all versions of Ansible up to and including 2.8.18 using the bitbucket_pipeline_variable module [1].

Exploitation

An attacker must have access to the console log output of an Ansible playbook run that employs the bitbucket_pipeline_variable module [2]. No authentication is needed beyond observing the log; the credentials are printed as part of the normal task output, typically when the module's parameters are logged or during a no_log bypass [1]. The attacker does not need to be the original executor of the playbook—anyone with read access to the logging system (e.g., a CI/CD dashboard, shared terminal history, or log aggregation service) can extract the credentials.

Impact

Successful exploitation results in direct disclosure of Bitbucket Pipeline credentials, leading to unauthorized access to the associated Bitbucket repositories and CI/CD pipelines [1]. The confidentiality of the credentials is compromised, potentially allowing an attacker to read, modify, or exfiltrate source code, inject malicious changes into build artifacts, or pivot to other connected systems. The impact is primarily to confidentiality, with secondary effects on integrity depending on what the stolen credentials enable.

Mitigation

Ansible fixed the issue in version 2.8.19 by adding no_log=True to the bitbucket_pipeline_variable module's sensitive parameters, preventing their output in console logs [1][3]. Users should upgrade Ansible core to version 2.8.19 or later, or apply the patch by backporting the no_log attribute if an upgrade is not immediately feasible [3]. No official workaround exists for older versions beyond strict access control to Ansible logs and using alternative credential management (e.g., Ansible Vault) to pass secrets separately. This CVE is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.

References
  1. NVD - CVE-2021-20180
  2. GitHub - ansible/ansible: Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.
  3. ansible/changelogs/CHANGELOG-v2.8.rst at v2.8.19 · ansible/ansible

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansiblePyPI
>= 2.8.0a1, < 2.8.192.8.19
ansiblePyPI
>= 2.9.0b1, < 2.9.182.9.18

Affected products

74

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.