CVE-2021-3533

Description

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

How to fix CVE-2021-3533

To remediate CVE-2021-3533, upgrade the affected package to a fixed version below.

• PyPI/ansible—upgrade to 3.0.0 or later

Is CVE-2021-3533 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2021-3533.

Affected packages (1)

• from 0, < 3.0.0

References (1)

• REPORTbugzilla.redhat.com/show_bug.cgi?id=1956477