Fluid Attacks Database

Description

ansible-runner has default temporary files written to world R/W locations A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible-runner	>=2.0.0 <2.1.0	2.1.0
debian 12	ansible-runner	>=0 <2.1.1-1	2.1.1-1
debian 13	ansible-runner	>=0 <2.1.1-1	2.1.1-1
debian 14	ansible-runner	>=0 <2.1.1-1	2.1.1-1

Aliases

1. CVE-2021-37012. NVD-2021-37013. OSV-2021-37014. OSV-DEBIAN-2021-37015. GCVE-2021-37016. ACCESS-CVE-2021-37017. SECURITY-TRACKER-CVE-2021-3701

References

1. https://github.com/ansible/ansible-runner/issues/7382. https://github.com/ansible/ansible-runner/pull/7423. https://github.com/ansible/ansible-runner/pull/742/commits4. https://bugzilla.redhat.com/show_bug.cgi?id=19779595. https://github.com/pypa/advisory-database/tree/main/vulns/ansible-runner/PYSEC-2022-43067.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.