On Sun, Jul 10, 2022 at 10:27:06PM +0200, Moritz Mühlenhoff wrote: > Source: ansible > X-Debbugs-CC: t...@security.debian.org > Severity: normal > Tags: security > > Hi, > > The following vulnerability was published for ansible. > > CVE-2021-3532[0]: > | A flaw was found in Ansible where the secret information present in > | async_files are getting disclosed when the user changes the jobdir to > | a world readable directory. Any secret information in an async status > | file will be readable by a malicious user on that system. This flaw > | affects Ansible Tower 3.7 and Ansible Automation Platform 1.2. > > Red Hat Bugzilla seems the original report here: > https://bugzilla.redhat.com/show_bug.cgi?id=1956464 > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-3532 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3532 > > Please adjust the affected versions in the BTS as needed.
This CVE was rejected by the assigning CNA (RedHat) with "This CVE is marked as INVALID and not a bug ". Regards, Salvatore
