Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-3583

UNKNOWN
Published 2021-09-22T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-3583. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Improper Input Validation and Command Injection in Ansible

GHSA-2pfh-q76x-gwvm

Advisory Details

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Affected Packages

PyPI ansible
ECOSYSTEM: ≥0 <2.9.23rc1
PyPI ansible
ECOSYSTEM: ≥2.10.0a1 <2.10.11rc1
PyPI ansible
ECOSYSTEM: ≥2.11.0a1 <2.11.2rc1

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-3583
WEB https://github.com/ansible/ansible/pull/74960
WEB https://github.com/ansible/ansible/commit/03aff644cc1c00e1f7551195c68fbd0d13a39e6e
WEB https://github.com/ansible/ansible/commit/8aa850e3573e48c9a2f12aef84e8a3a6f5ba4847
WEB https://github.com/ansible/ansible/commit/8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1
WEB https://bugzilla.redhat.com/show_bug.cgi?id=1968412
ADVISORY https://github.com/advisories/GHSA-2pfh-q76x-gwvm
PACKAGE https://github.com/ansible/ansible
WEB https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-358.yaml
WEB https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Advisory provided by GitHub Security Advisory Database. Published: September 23, 2021, Modified: September 6, 2024

References

https://bugzilla.redhat.com/show_bug.cgi?id=1968412
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
Published: 2021-09-22T00:00:00
Last Modified: 2024-08-03T17:01:07.381Z
Copied to clipboard!