CVE-2021-3532

Description

A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Related CPE's

aredhatansible_automation_platform1.2*******

vulnerable

aredhatansible_tower3.7.0*******

vulnerable

aredhatansible_engine2.0*******

vulnerable

aredhatansible_tower3.0*******

vulnerable

oredhatenterprise_linux7.0*******

vulnerable

ofedoraprojectfedora34*******

vulnerable

aredhatopenstack-rdo-*******

vulnerable

References

https://bugzilla.redhat.com/show_bug.cgi?id=1956464

Issue TrackingThird Party Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

LOCAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

PrivilegesRequired

NONE

BaseScore

5.5

VectorString

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Version

3.1

UserInteraction

REQUIRED

CvssV2 impact

AccessComplexity

MEDIUM

ConfidentialityImpact

PARTIAL

AvailabilityImpact

NONE

IntegrityImpact

NONE

BaseScore

4.3

VectorString

AV:N/AC:M/Au:N/C:P/I:N/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io