CVE Vulnerability

CVE-2021-3701

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.

6.6 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/security/cve/CVE-2021-3701 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1977959 Issue Tracking Patch
https://github.com/ansible/ansible-runner/pull/742/commits Patch Third Party Advisory
https://github.com/ansible/ansible-runner/issues/738 Issue Tracking Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:ansible_runner:2.0.0:-:*:*:*:*:*:*
Information

Published : 2022-08-23 04:15

Updated : 2023-02-17 07:06

NVD link : CVE-2021-3701

Mitre link : CVE-2021-3701

Products Affected
No products.
CWE
CWE-276

Incorrect Default Permissions