SCA: security update for ansible (GHSA-2pfh-q76x-gwvm)

high Tenable Cloud Security Plugin ID 409015

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can
occur through facts used in the template if the user is trying to put templates in multi-line YAML strings
and the facts being handled do not routinely include special template characters. This flaw allows
attackers to perform command injection, which discloses sensitive information. The highest threat from
this vulnerability is to confidentiality and integrity. (CVE-2021-3583)

See Also

https://github.com/advisories/GHSA-2pfh-q76x-gwvm

Plugin Details

Severity: High

ID: 409015

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.06

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2021-3583

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 6.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/23/2021

Vulnerability Publication Date: 7/7/2021

Reference Information

CVE: CVE-2021-3583

IAVB: 2022-B-0007

cwe: CWE-20, CWE-77, CWE-94