Vulnerability Description
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible Automation Platform | 1.2 |
| Redhat | Ansible Engine | < 2.9.23 |
| Redhat | Ansible Tower | < 3.7.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1968412Issue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1968412Issue TrackingVendor Advisory
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
FAQ
What is CVE-2021-3583?
CVE-2021-3583 is a vulnerability with a CVSS score of 7.1 (HIGH). A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line...
How severe is CVE-2021-3583?
CVE-2021-3583 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-3583?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Automation Platform, Redhat Ansible Engine, Redhat Ansible Tower.