Bug 1956464 (CVE-2021-3532) - CVE-2021-3532 ansible: async_file sensitive information disclosure
Summary: CVE-2021-3532 ansible: async_file sensitive information disclosure
Keywords:
Status: NEW
Alias: CVE-2021-3532
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959074 1959077 1959079 1959081 1959082 1959083 1959084 1959085 1959086 1959075 1959076
Blocks: 1887243 1956478
TreeView+ depends on / blocked
 
Reported: 2021-05-03 18:18 UTC by Tapas Jena
Modified: 2021-12-20 17:33 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Tapas Jena 2021-05-03 18:18:01 UTC
When an user changes the jobdir of async_files to a world readable directory, ansible writes the async status files directly into the world readable directory using umask to determine the file's permissions.  The umask on most systems allow world readable files.  This means that any secret information in an "async_status" file will be readable by a malicious user on that system.

Comment 3 Tapas Jena 2021-05-10 16:57:11 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1959083]
Affects: fedora-all [bug 1959082]
Affects: openstack-rdo [bug 1959081]

Comment 4 Tapas Jena 2021-05-10 16:57:41 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1959086]
Affects: fedora-all [bug 1959085]
Affects: openstack-rdo [bug 1959084]


Note You need to log in before you can comment on or make changes to this bug.