CVE-2021-3583
HIGHAnsible Automation Platform - Code Injection via Template Injection
Title source: llmDescription
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
References (2)
Core 2
Core References
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1968412
Scores
CVSS v3
7.1
EPSS
0.0028
EPSS Percentile
51.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-94
CWE-20
Status
published
Products (4)
pypi/ansible
0 - 2.9.23rc1PyPI
redhat/ansible_automation_platform
1.2
redhat/ansible_engine
< 2.9.23
redhat/ansible_tower
< 3.7.0
Published
Sep 22, 2021
Tracked Since
Feb 18, 2026