CVE-2021-3701

Published: Aug 23, 2022Modified: Nov 21, 2024

6.6

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Exploitability: 1.3 / Impact: 5.2

Source: NVD

Description

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.

Affected (1)

Products: Redhat: Ansible Runner

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Runner	Version 2.0.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (8)

https://access.redhat.com/security/cve/CVE-2021-3701

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1977959

Source: secalert@redhat.com

Issue TrackingPatchVendor Advisory

https://github.com/ansible/ansible-runner/issues/738

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://github.com/ansible/ansible-runner/pull/742/commits

Source: secalert@redhat.com

PatchThird Party Advisory

https://access.redhat.com/security/cve/CVE-2021-3701

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1977959

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://github.com/ansible/ansible-runner/issues/738

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://github.com/ansible/ansible-runner/pull/742/commits

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.