CVE-2021-3532 - log back

CVE-2021-3532 edited at 09 Jun 2021 13:17:38
Description
- When an user changes the jobdir of async_files to a world readable directory, ansible writes the async status files directly into the world readable directory using umask to determine the file's permissions. The umask on most systems allow world readable files. This means that any secret information in an "async_status" file will be readable by a malicious user on that system.
+ A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async status file will be readable by a malicious user on that system. This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2.
CVE-2021-3532 edited at 11 May 2021 09:39:06
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ When an user changes the jobdir of async_files to a world readable directory, ansible writes the async status files directly into the world readable directory using umask to determine the file's permissions. The umask on most systems allow world readable files. This means that any secret information in an "async_status" file will be readable by a malicious user on that system.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1956464
Notes
CVE-2021-3532 created at 11 May 2021 09:38:09