{"api_version":"1","generated_at":"2026-04-23T00:40:09+00:00","cve":"CVE-2021-3583","urls":{"html":"https://cve.report/CVE-2021-3583","api":"https://cve.report/api/cve/CVE-2021-3583.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3583","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3583"},"summary":{"title":"CVE-2021-3583","description":"A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-09-22 12:15:00","updated_at":"2023-12-28 19:15:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html","name":"[debian-lts-announce] 20231228 [SECURITY] [DLA 3695-1] ansible security update","refsource":"","tags":[],"title":"[SECURITY] [DLA 3695-1] ansible security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1968412","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1968412","refsource":"MISC","tags":[],"title":"1968412 – (CVE-2021-3583) CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template.","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3583","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3583","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3583","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_automation_platform","cpe6":"1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3583","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_engine","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3583","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible_tower","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3583","qid":"182514","title":"Debian Security Update for ansibleansible-core (CVE-2021-3583)"},{"cve":"CVE-2021-3583","qid":"239484","title":"Red Hat Update for Ansible (RHSA-2021:2664)"},{"cve":"CVE-2021-3583","qid":"239485","title":"Red Hat Update for Ansible (RHSA-2021:2663)"},{"cve":"CVE-2021-3583","qid":"281674","title":"Fedora Security Update for ansible (FEDORA-2021-574ee4dd30)"},{"cve":"CVE-2021-3583","qid":"281675","title":"Fedora Security Update for ansible (FEDORA-2021-4ad7c70d71)"},{"cve":"CVE-2021-3583","qid":"356238","title":"Amazon Linux Security Advisory for ansible : ALASANSIBLE2-2023-001"},{"cve":"CVE-2021-3583","qid":"356502","title":"Amazon Linux Security Advisory for ansible : ALAS2ANSIBLE2-2023-001"},{"cve":"CVE-2021-3583","qid":"6000405","title":"Debian Security Update for ansible (DLA 3695-1)"},{"cve":"CVE-2021-3583","qid":"690099","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for ansible (4c9159ea-d4c9-11eb-aeee-8c164582fbac)"},{"cve":"CVE-2021-3583","qid":"752570","title":"SUSE Enterprise Linux Important for SUSE Manager Client Tools (SUSE-SU-2022:3178-1)"},{"cve":"CVE-2021-3583","qid":"900417","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for ansible (6009)"},{"cve":"CVE-2021-3583","qid":"900897","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for ansible (6305-1)"},{"cve":"CVE-2021-3583","qid":"980519","title":"Python (pip) Security Update for ansible (GHSA-2pfh-q76x-gwvm)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-3583","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"ansible","version":{"version_data":[{"version_value":"ansible_tower 3.7, ansible_engine 2.9.23"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20->CWE-77"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1968412","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1968412"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity."}]}},"nvd":{"publishedDate":"2021-09-22 12:15:00","lastModifiedDate":"2023-12-28 19:15:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:P/A:N","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.6},"severity":"LOW","exploitabilityScore":3.9,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*","versionEndExcluding":"3.7.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*","versionEndExcluding":"2.9.23","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3583","Ordinal":"209361","Title":"CVE-2021-3583","CVE":"CVE-2021-3583","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3583","Ordinal":"1","NoteData":"A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"3583","Ordinal":"2","NoteData":"2021-09-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"3583","Ordinal":"3","NoteData":"2021-09-22","Type":"Other","Title":"Modified"}]}}}