A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the build_ignore list in galaxy.yml include files in the .tar.gz file. This contains sensitive info, such as the users Ansible Galaxy API key and any secrets in ansible or ansible-playbook verbose output without theno_log redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ansible_automation_platform | Redhat | 1.2 (including) | 1.2 (including) |
| Ansible_galaxy | Redhat | 3.3.0 (including) | 3.3.0 (including) |