CVE-2021-3533
Race Condition vulnerability in ansible (PyPI)

Race Condition No known exploit

What is CVE-2021-3533 About?

This vulnerability is a race condition in Ansible, occurring when `ANSIBLE_ASYNC_DIR` is set to a subdirectory of a world-writable directory. A malicious, non-privileged user on a managed machine can exploit this race condition to access sensitive async result data. Exploitation requires specific configuration and local access to the managed machine but can lead to information disclosure.

Affected Software

ansible <3.0.0

Technical Details

The flaw exists in Ansible when the ANSIBLE_ASYNC_DIR environment variable is configured to point to a subdirectory within a world-writable directory. This specific configuration creates a window of vulnerability during the asynchronous task execution process on the managed machine. A non-privileged local attacker can exploit this race condition by carefully timing their actions to access or manipulate the async result data stored in this insecurely configured directory before the legitimate Ansible process finalizes its operations or secures the data. The attacker capitalizes on the transient insecurity of the result data within the race window, leading to unauthorized data access.

What is the Impact of CVE-2021-3533?

Successful exploitation may allow attackers to gain unauthorized access to sensitive async result data, potentially leading to information disclosure or further compromise of the system.

What is the Exploitability of CVE-2021-3533?

Exploitation of this race condition requires low complexity, but is dependent on a specific configuration where ANSIBLE_ASYNC_DIR is set to a subdirectory of a world-writable directory. No authentication to the Ansible controller is needed, but the attacker must be a non-privileged local user on the managed machine. This is a local vulnerability requiring local access to the target system. The primary constraint is the specific configuration of ANSIBLE_ASYNC_DIR. The likelihood of exploitation increases if Ansible setups commonly use such a configuration, and if attackers have consistent local access to managed machines.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-3533?

Available Upgrade Options

  • ansible
    • <3.0.0 → Upgrade to 3.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-3533?

Similar Vulnerabilities: CVE-2018-1000136 , CVE-2020-15906 , CVE-2016-1240 , CVE-2017-1000371 , CVE-2019-1010024

All Rights reserved 2025
Privacy Policy