CVE-2021-3583

Aliases:GHSA-2pfh-q76x-gwvmPYSEC-2021-358

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2021-3583 DLA-3695-1 MGASA-2021-0420 OPENSUSE-SU-2024:14244-1 OPENSUSE-SU-2024:14536-1 OPENSUSE-SU-2025:15605-1

Modified

Published: 22 Sept 2021, 00:00

Last modified:03 Aug 2024, 17:01

Vulnerability Summary

Overall Risk (default)

medium

28/100

CVSS Score

7.1 HIGH

v3.1 (nvd)

EPSS Score

0.28% LOW

0% probability -0.04%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Sept 2021, 00:00

Published

Vulnerability first disclosed

03 Aug 2024, 17:01

Last Modified

Vulnerability information updated

Description

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

CVSS Metrics

v4.0•HIGH•Score: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
v3.1•HIGH•Score: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
v2.0•LOW•Score: 3.6AV:L/AC:L/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.28%• Percentile: 51%

Techniques & Countermeasures

CWE-94•Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

PyPI•ansible
< 2.9.23rc1 | ≥ 2.10.0a1, < 2.10.11rc1 | ≥ 2.11.0a1, < 2.11.2rc1 | < 2.9.23
redhat•ansible_automation_platform
1.2
redhat•ansible_engine
< 2.9.23
redhat•ansible_tower
< 3.7.0