Moderate severityNVD Advisory· Published Mar 3, 2022· Updated Feb 13, 2025
CVE-2021-3620
CVE-2021-3620
Description
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ansible Engine's ansible-connection module discloses user credentials in traceback error messages, leading to information disclosure.
Vulnerability
The ansible-connection module in Ansible Engine improperly includes sensitive information such as Ansible user credentials in default traceback error messages. This flaw affects Ansible Engine versions before 2.9.23, 2.10.x before 2.10.12, and 3.x before 3.4.0 [1][2][3]. The bug is triggered when connection errors occur and the module outputs debugging or error information.
Exploitation
An attacker can exploit this vulnerability by causing a connection error in the ansible-connection module, which generates a traceback that reveals credentials. This can be achieved by an attacker with the ability to trigger an Ansible connection attempt (e.g., by controlling a target host or by inducing a misconfiguration) [2][3]. No special privileges are required beyond the ability to trigger a connection failure.
Impact
Successful exploitation results in disclosure of sensitive Ansible user credentials, such as SSH keys or passwords, which can be used to compromise managed hosts and escalate privileges. The highest threat is to confidentiality [3][4].
Mitigation
Red Hat released an errata (RHSA-2021:4703) with fixes in Ansible Engine 2.9.23, 2.10.12, and 3.4.0 [1][2]. Users should update to these or later versions. As a workaround, ensure that error tracebacks are not exposed to untrusted users and that logs containing tracebacks are properly secured.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | < 2.9.27 | 2.9.27 |
Affected products
73- Ansible/Ansible Enginedescription
- ghsa-coords72 versionspkg:pypi/ansiblepkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/golang-github-QubitProducts-exporter_exporter&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/golang-github-QubitProducts-exporter_exporter&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/prometheus-blackbox_exporter&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-hwdata&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-hwdata&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/wire&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/ansible&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-boynux-squid_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-lusitaniae-apache_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/golang-github-prometheus-prometheus&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/golang-github-QubitProducts-exporter_exporter&distro=SUSE%20Manager%20Server%20Module%204.3pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/mgr-push&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/mgr-virtualization&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/prometheus-blackbox_exporter&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/prometheus-postgres_exporter&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Server%20Module%204.1pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Server%20Module%204.2pkg:rpm/suse/python-hwdata&distro=SUSE%20Manager%20Server%20Module%204.3pkg:rpm/suse/python-pyvmomi&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/rhnlib&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-salt&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.1pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.2pkg:rpm/suse/zypp-plugin-spacewalk&distro=SUSE%20Manager%20Proxy%20Module%204.3
< 2.9.27+ 71 more
- (no CPE)range: < 2.9.27
- (no CPE)range: < 2.9.27-150000.1.14.1
- (no CPE)range: < 2.9.27-150000.1.14.1
- (no CPE)range: < 0.1.1657643023.0d694ce-150000.1.35.1
- (no CPE)range: < 0.1.1657643023.0d694ce-150000.1.35.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.19.0-150000.1.11.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 4.3.14-150000.3.83.1
- (no CPE)range: < 4.3.14-150000.3.83.1
- (no CPE)range: < 0.5.0-150000.1.6.1
- (no CPE)range: < 2.9.27-3.21.1
- (no CPE)range: < 2.9.27-150000.1.14.1
- (no CPE)range: < 2.9.27-159000.3.9.1
- (no CPE)range: < 2.9.27-150000.1.14.1
- (no CPE)range: < 2.9.27-150000.1.14.1
- (no CPE)range: < 2.9.27-3.21.1
- (no CPE)range: < 2.9.27-3.21.1
- (no CPE)range: < 0.1.1657643023.0d694ce-150000.1.35.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 0.1.1681904360.84ef141-159000.3.30.1
- (no CPE)range: < 1.6-159000.4.9.1
- (no CPE)range: < 1.0.0-159000.4.12.1
- (no CPE)range: < 1.3.0-150000.3.15.1
- (no CPE)range: < 1.3.0-150000.3.15.1
- (no CPE)range: < 1.3.0-150000.3.15.1
- (no CPE)range: < 1.3.0-150000.3.15.1
- (no CPE)range: < 2.45.0-159000.6.33.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 0.4.0-159000.4.6.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 0.4.0-150000.1.15.1
- (no CPE)range: < 9.5.8-159000.4.24.1
- (no CPE)range: < 4.3.5-150000.1.35.1
- (no CPE)range: < 5.0.1-159000.4.21.1
- (no CPE)range: < 4.3.6-150000.1.32.1
- (no CPE)range: < 0.19.0-150000.1.11.1
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.24.0-159000.3.6.1
- (no CPE)range: < 0.19.0-150000.1.11.1
- (no CPE)range: < 0.19.0-150000.1.11.1
- (no CPE)range: < 0.10.1-159000.3.6.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-159000.5.13.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 2.3.5-150000.3.9.1
- (no CPE)range: < 6.7.3-159000.3.6.1
- (no CPE)range: < 5.0.1-159000.6.30.1
- (no CPE)range: < 4.3.14-150000.3.83.1
- (no CPE)range: < 5.0.1-159000.6.42.1
- (no CPE)range: < 4.3.11-150000.3.65.1
- (no CPE)range: < 5.0.1-159000.6.48.1
- (no CPE)range: < 1.2.2-159000.5.9.1
- (no CPE)range: < 5.0.1-159000.6.15.1
- (no CPE)range: < 4.3.5-150000.1.24.1
- (no CPE)range: < 5.0.1-159000.3.33.1
- (no CPE)range: < 4.3.6-150000.1.6.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 5.0.1-159000.3.9.1
- (no CPE)range: < 1.0.13-150000.3.32.1
- (no CPE)range: < 1.0.13-150000.3.32.1
- (no CPE)range: < 1.0.13-150000.3.32.1
- (no CPE)range: < 1.0.13-150000.3.32.1
Patches
1fe28767970c8Fixed exposed credentials in exception
1 file changed · +18 −1
lib/ansible/module_utils/connection.py+18 −1 modified@@ -38,10 +38,13 @@ import uuid from functools import partial +from ansible import constants as C from ansible.module_utils._text import to_bytes, to_text from ansible.module_utils.common.json import AnsibleJSONEncoder +from ansible.module_utils.common.parameters import remove_values from ansible.module_utils.six import iteritems from ansible.module_utils.six.moves import cPickle +from ansible.utils.helpers import deduplicate_list def write_to_file_descriptor(fd, obj): @@ -163,12 +166,26 @@ def _exec_jsonrpc(self, name, *args, **kwargs): try: response = json.loads(out) except ValueError: - params = [repr(arg) for arg in args] + ['{0}={1!r}'.format(k, v) for k, v in iteritems(kwargs)] + sensitive_keys = list( + C.MAGIC_VARIABLE_MAPPING["password"] + + C.MAGIC_VARIABLE_MAPPING["private_key_file"] + + C.MAGIC_VARIABLE_MAPPING["become_pass"] + ) + sensitive_values = [ + v2 + for k, v in iteritems(kwargs) + for k2, v2 in iteritems(v) + if k2 in sensitive_keys + ] + params = [repr(remove_values(arg, sensitive_values)) for arg in args] + [ + "{0}={1!r}".format(k, remove_values(v, sensitive_values)) + for k, v in iteritems(kwargs)] params = ', '.join(params) raise ConnectionError( "Unable to decode JSON from response to {0}({1}). Received '{2}'.".format(name, params, out) ) + if response['id'] != reqid: raise ConnectionError('invalid json-rpc id received') if "result_type" in response:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-4r65-35qq-ch8jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3620ghsaADVISORY
- access.redhat.com/errata/RHSA-2021:3871ghsaWEB
- access.redhat.com/errata/RHSA-2021:3872ghsaWEB
- access.redhat.com/errata/RHSA-2021:3874ghsaWEB
- access.redhat.com/errata/RHSA-2021:4703ghsaWEB
- access.redhat.com/errata/RHSA-2021:4750ghsaWEB
- access.redhat.com/security/cve/CVE-2021-3620ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rstghsax_refsource_MISCWEB
- github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2022-164.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2023/12/msg00018.htmlghsaWEB
News mentions
0No linked articles in our index yet.