CVE-2021-3533

Upstream information

CVE-2021-3533 at MITRE

Description

A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, non-privileged account on the remote machine can exploit the race condition to access the async result data. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.

---

SUSE information

Overall state of this security issue: Analysis

This issue is currently rated as having moderate severity.

CVSS v3 Scores

	SUSE
Base Score	5
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Access Vector	Local
Access Complexity	Low
Privileges Required	Low
User Interaction	Required
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	None
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1186245 [NEW]

No SUSE Security Announcements cross referenced.

---

Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s)	Source package	State
HPE Helion OpenStack 8	ansible	Analysis
HPE Helion OpenStack 8	ansible1	Analysis
HPE Helion OpenStack 8	ardana-ansible	Analysis
HPE Helion OpenStack 8	ardana-service-ansible	Analysis
SUSE Manager Client Tools Beta for SLE 15	ansible	Analysis
SUSE Manager Client Tools for SLE 15	ansible	Analysis
SUSE OpenStack Cloud 7	ansible	Unsupported
SUSE OpenStack Cloud 8	ansible	Analysis
SUSE OpenStack Cloud 8	ansible1	Analysis
SUSE OpenStack Cloud 8	ardana-ansible	Analysis
SUSE OpenStack Cloud 8	ardana-service-ansible	Analysis
SUSE OpenStack Cloud 9	ansible1	Analysis
SUSE OpenStack Cloud 9	ardana-ansible	Analysis
SUSE OpenStack Cloud 9	ardana-service-ansible	Analysis
SUSE OpenStack Cloud Crowbar 8	ansible	Analysis