What is CVE-2021-3533?

CVE-2021-3533 is a vulnerability found in Ansible that allows a malicious, non-privileged account to exploit a race condition and access the async results of the managed machine.

What is the severity of CVE-2021-3533?

CVE-2021-3533 has a severity rating of low (2.5).

Which software versions are affected by CVE-2021-3533?

Redhat Ansible Automation Platform 1.2, Redhat Ansible Tower 3.7.0, Redhat Ansible Engine 2.0, Redhat Ansible Tower 3.0, Redhat Enterprise Linux 7.0, Fedoraproject Fedora 34, and Redhat Openstack-rdo are affected by CVE-2021-3533.

How can the CVE-2021-3533 vulnerability be fixed?

To fix CVE-2021-3533, users should avoid setting ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory in Ansible.

Vulnerability/
CVE-2021-3533

low

2.5

CWE

362 367

9/6/2021

23/1/2024

CVE-2021-3533: Race Condition

First published: Wed Jun 09 2021(Updated: )

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
Redhat Ansible Automation Platform	=1.2
Redhat Ansible Tower	=3.7.0
Redhat Ansible Engine	=2.0
Redhat Ansible Tower	=3.0
Redhat Enterprise Linux	=7.0
Fedoraproject Fedora	=34
Redhat Openstack-rdo

Never miss a vulnerability like this again

Reference Links

https://bugzilla.redhat.com/show_bug.cgi?id=1956477

Frequently Asked Questions

What is CVE-2021-3533?
CVE-2021-3533 is a vulnerability found in Ansible that allows a malicious, non-privileged account to exploit a race condition and access the async results of the managed machine.
How does CVE-2021-3533 affect Ansible?
CVE-2021-3533 affects Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory, creating a race condition on the managed machine that can be exploited.
What is the severity of CVE-2021-3533?
CVE-2021-3533 has a severity rating of low (2.5).
Which software versions are affected by CVE-2021-3533?
Redhat Ansible Automation Platform 1.2, Redhat Ansible Tower 3.7.0, Redhat Ansible Engine 2.0, Redhat Ansible Tower 3.0, Redhat Enterprise Linux 7.0, Fedoraproject Fedora 34, and Redhat Openstack-rdo are affected by CVE-2021-3533.
How can the CVE-2021-3533 vulnerability be fixed?
To fix CVE-2021-3533, users should avoid setting ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory in Ansible.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/status
agent/tags
agent/type
agent/weakness
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
collector/nvd-index
status/rejected
vendor/redhat
canonical/redhat ansible automation platform
version/redhat ansible automation platform/1.2
canonical/redhat ansible tower
version/redhat ansible tower/3.7.0
canonical/redhat ansible engine
version/redhat ansible engine/2.0
version/redhat ansible tower/3.0
canonical/redhat enterprise linux
version/redhat enterprise linux/7.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/34
canonical/redhat openstack-rdo

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.