CVE-2021-4041

EPSS 0.05%
Published 24.08.2022 16:15:09
Last modified 21.11.2024 06:36:46
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.

Affected products Warnungen 0 Metrics 2 CWE 2 References 6

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Ansible Runner Version < 2.1.0

Redhat ≫ Ansible Runner Version2.1.0 Updatealpha1

Redhat ≫ Ansible Runner Version2.1.0 Updatealpha2

Redhat ≫ Ansible Runner Version2.1.0 Updatebeta1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.166

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/security/cve/CVE-2021-4041

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2028074

Patch

Vendor Advisory

Issue Tracking

https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-4041

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-4041

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-4041

EUVD