A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2021-4041 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2028074 | Issue Tracking Patch Vendor Advisory |
https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
29 Aug 2022, 14:30
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:redhat:ansible_runner:2.1.0:alpha1:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_runner:*:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_runner:2.1.0:alpha2:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_runner:2.1.0:beta1:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
CWE | CWE-116 | |
First Time |
Redhat
Redhat ansible Runner |
|
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2028074 - Issue Tracking, Patch, Vendor Advisory | |
References | (MISC) https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd - Patch, Third Party Advisory | |
References | (MISC) https://access.redhat.com/security/cve/CVE-2021-4041 - Vendor Advisory |
24 Aug 2022, 16:24
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-24 16:15
Updated : 2023-12-10 14:35
NVD link : CVE-2021-4041
Mitre link : CVE-2021-4041
CVE.ORG link : CVE-2021-4041
JSON object : View
Products Affected
redhat
- ansible_runner