Your submission was sent successfully! Close

CVE-2021-3533

Published: 9 June 2021

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Priority

Low

CVSS 3 base score: 2.5

Status

Package Release Status
ansible
Launchpad, Ubuntu, Debian
bionic Deferred
(2022-01-14)
focal Deferred
(2022-01-14)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Deferred
(2022-01-14)
jammy Deferred
(2022-01-14)
precise Does not exist

trusty Deferred
(2022-01-14)
upstream Deferred
(2022-01-14)
xenial Ignored
(out of standard support)
ansible-base
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)
ansible-core
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)

Notes

AuthorNote
sbeattie
requires user to use a world writable directory
apparently unfixed upstream as of 2022-01-14

References

Bugs