CVE-2021-3583 : A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Published 2021-09-22 12:15:08

Updated 2023-12-28 19:15:13

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Exploit prediction scoring system (EPSS) score for CVE-2021-3583

Probability of exploitation activity in the next 30 days: 0.04%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 10 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3583

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:P/A:N	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	1.8	5.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2021-3583

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: secalert@redhat.com (Secondary)
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: secalert@redhat.com (Secondary)
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-3583

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

[SECURITY] [DLA 3695-1] ansible security update

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1968412

1968412 – (CVE-2021-3583) CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template.
Issue Tracking;Vendor Advisory

Products affected by CVE-2021-3583

Redhat » Ansible Tower
Versions before (<) 3.7.0
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Engine
Versions before (<) 2.9.23
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Matching versions
Redhat » Ansible Automation Platform » Version: 1.2
cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-3583

Exploit prediction scoring system (EPSS) score for CVE-2021-3583

CVSS scores for CVE-2021-3583

CWE ids for CVE-2021-3583

References for CVE-2021-3583

Products affected by CVE-2021-3583