Vulnerability CVE-2021-3533


Published: 2021-06-09

Description:
A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Type:

CWE-367

(Time-of-check Time-of-use (TOCTOU) Race Condition)

CVSS2 => (AV:L/AC:H/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
1.2/10
2.9/10
1.9/10
Exploit range
Attack complexity
Authentication
Local
High
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Redhat -> Ansible automation platform 
Redhat -> Ansible tower 
Redhat -> Ansible engine 
Redhat -> Enterprise linux 
Redhat -> Openstack-rdo 
Fedoraproject -> Fedora 

 References:
https://bugzilla.redhat.com/show_bug.cgi?id=1956477

Copyright 2022, cxsecurity.com

 

Back to Top