CVE-2021-3583
Published: 22 September 2021
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
Priority
Medium
CVSS 3 base score: 7.1
Status
| Package | Release | Status |
|---|---|---|
|
ansible Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(2.11.2,2.10.11,2.9.23)
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
Patches: upstream: https://github.com/ansible/ansible/commit/8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1 (2.9) upstream: https://github.com/ansible/ansible/commit/4c8c40fd3d4a58defdc80e7d22aa8d26b731353e |
||
|
ansible-base Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|
|
ansible-core Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Not vulnerable
(2.12.0-1)
|
|
| kinetic |
Not vulnerable
(2.12.0-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
|