6.6

CVE-2021-3701

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatAnsible Runner Version2.0.0 Update-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.175
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.6 1.3 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://access.redhat.com/security/cve/CVE-2021-3701
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1977959
Patch
Vendor Advisory
Issue Tracking
https://github.com/ansible/ansible-runner/issues/738
Third Party Advisory
Issue Tracking
https://github.com/ansible/ansible-runner/pull/742/commits
Patch
Third Party Advisory