CVE-2021-3583

CWE-20Improper Input ValidationCWE-94Code InjectionCWE-77Command Injection9 documents8 sources
Severity
7.1HIGH
EPSS
0.3%
top 45.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible EngineRedhat Ansible TowerRedhat Ansible Automation Platform
Timeline
PublishedSep 22
Latest updateJun 7

Description

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages7 packages

PyPIansible2.10.0a12.10.11rc1+2
NVDredhat/ansible_engine< 2.9.23
Debianansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1+3
Debianansible-core< 2.12.0-1+2

🔴Vulnerability Details

4
GHSA
Improper Input Validation and Command Injection in Ansible2021-09-23
OSV
Improper Input Validation and Command Injection in Ansible2021-09-23
OSV
CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection2021-09-22
CVEList
CVE-2021-3583: A flaw was found in Ansible, where a user's controller is vulnerable to template injection2021-09-22

📋Vendor Advisories

4
Ubuntu
Ansible vulnerabilities2022-06-07
Microsoft
A flaw was found in Ansible where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line 2021-09-14
Red Hat
ansible: Template Injection through yaml multi-line strings with ansible facts used in template.2021-06-08
Debian
CVE-2021-3583: ansible - A flaw was found in Ansible, where a user's controller is vulnerable to template...2021