CVE-2021-3583
Template Injection vulnerability in ansible (PyPI)
What is CVE-2021-3583 About?
Ansible is vulnerable to Template Injection, allowing attackers to perform command injection and sensitive information disclosure. This occurs when facts used in templates within multi-line YAML strings are not properly sanitized for special template characters. Exploitation can lead to significant confidentiality and integrity impact.
Affected Software
- ansible
- >2.10.0a1, <2.10.11rc1
- <2.9.23
- <2.9.23rc1
- >2.11.0a1, <2.11.2rc1
Technical Details
The vulnerability in Ansible stems from a template injection flaw when facts (variables gathered about managed hosts) are used within templates embedded in multi-line YAML strings. If these facts are not properly sanitized and happen to contain characters or syntax that Ansible's templating engine (Jinja2) interprets as template directives, an attacker who can influence the content of these facts can inject malicious template code. This injected code is then executed when the template is rendered, allowing for arbitrary command execution on the Ansible controller or target hosts, or the disclosure of sensitive information accessible to the Ansible process. The flaw is specifically noted to occur when facts don't routinely include special template characters, suggesting an oversight in handling such potential inputs.
What is the Impact of CVE-2021-3583?
Successful exploitation may allow attackers to execute arbitrary commands, disclose sensitive information, or compromise the integrity of managed systems.
What is the Exploitability of CVE-2021-3583?
Exploitation requires an attacker to influence the content of facts used in Ansible templates, specifically when those templates are within multi-line YAML strings. The complexity is moderate, as it requires knowledge of Ansible's templating specifics and how to inject malicious constructs. Authentication to the Ansible system or control over facts passed to it would be a prerequisite. Given the nature of Ansible, an attacker would likely need some level of access or influence over fact gathering or playbook execution. Privilege requirements could vary, but even low-privileged access to modify facts could lead to high-impact consequences. This is typically a local or internal network vulnerability, depending on how Ansible is exposed. Special conditions include the use of multi-line YAML strings for templates that incorporate unvalidated facts. Risk factors increase if untrusted inputs can propagate into Ansible facts or if privilege separation within Ansible operations is insufficient.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3583?
Available Upgrade Options
- ansible
- <2.9.23rc1 → Upgrade to 2.9.23rc1
- ansible
- <2.9.23 → Upgrade to 2.9.23
- ansible
- >2.10.0a1, <2.10.11rc1 → Upgrade to 2.10.11rc1
- ansible
- >2.11.0a1, <2.11.2rc1 → Upgrade to 2.11.2rc1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://github.com/advisories/GHSA-2pfh-q76x-gwvm
- https://github.com/ansible/ansible/commit/8aa850e3573e48c9a2f12aef84e8a3a6f5ba4847
- https://github.com/ansible/ansible/commit/03aff644cc1c00e1f7551195c68fbd0d13a39e6e
- https://nvd.nist.gov/vuln/detail/CVE-2021-3583
- https://osv.dev/vulnerability/PYSEC-2021-358
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2021-358.yaml
- https://github.com/ansible/ansible/pull/74960
- https://bugzilla.redhat.com/show_bug.cgi?id=1968412
- https://github.com/ansible/ansible/commit/8b17e5b9229ffaecfe10a4881bc3f87dd2c184e1
What are Similar Vulnerabilities to CVE-2021-3583?
Similar Vulnerabilities: CVE-2022-24765 , CVE-2022-23035 , CVE-2021-28373 , CVE-2021-43286 , CVE-2021-3864
