Your submission was sent successfully! Close

CVE-2021-3583

Published: 22 September 2021

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Priority

Medium

CVSS 3 base score: 7.1

Status

Package Release Status
ansible
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

kinetic Needed

trusty Not vulnerable
(code not present)
upstream
Released (2.11.2,2.10.11,2.9.23)
xenial Ignored
(out of standard support)
Patches:
upstream: https://github.com/ansible/ansible/commit/8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1 (2.9)
upstream: https://github.com/ansible/ansible/commit/4c8c40fd3d4a58defdc80e7d22aa8d26b731353e
ansible-base
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Does not exist

kinetic Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)
ansible-core
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Not vulnerable
(2.12.0-1)
kinetic Not vulnerable
(2.12.0-1)
trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)