PT-2022-10609 · Unknown · Ansible-Runner
Abadger
·
Published
2022-08-23
·
Updated
2023-02-17
·
CVE-2021-3701
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
ansible-runner version 2.0.0
Description
A flaw was found in ansible-runner where the default temporary files configuration is written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity.
Recommendations
For version 2.0.0, consider changing the default temporary files configuration to a secure location to prevent unauthorized access. As a temporary workaround, restrict write access to the temporary files directory to minimize the risk of exploitation.
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ansible-Runner