CVE-2021-3620: 
Ansible vulnerability analysis and mitigation

A flaw was found in Ansible Engine's ansible-connection module (CVE-2021-3620), where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The vulnerability was discovered in 2021 and affects Ansible Engine versions up to (excluding) 2.9.27 (NVD, Red Hat).

The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue occurs when the ansible-connection module receives an unexpected response from set_options, causing sensitive connection parameters to be exposed in tracebacks that are displayed on screen and written to log files (GitHub Fix).

The highest threat from this vulnerability is to confidentiality, as it could expose sensitive information such as Ansible user credentials in error messages. This could potentially allow attackers with access to log files or error output to obtain authentication credentials (NVD).

The vulnerability was fixed in Ansible Engine version 2.9.27. The fix involves creating a list of sensitive connection parameter names from ansible.constants, identifying sensitive values in the parameters before they are displayed, and using the moduleutils.common.parameters.removevalues function to hide them (GitHub Fix, Red Hat).