Closed janlaan closed 1 year ago
Ah, there's a difference in versioning between Ansible and ansible-core apparently. The Github issues do belong to the CVE. I don't completely understand Ansible version numbering though., but I'm pretty sure this issue has been fixed in 2.10+ at least. Maybe even 2.8+.
Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)!
This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known.
OSS Index is now reporting "deviation notices" which often explain why OSS Index vulnerabilities differ from the related NVD advisories. If you log in at OSS Index and go to your link, you can now see this:
The Sonatype security research team discovered that the vulnerability is present in all versions of the package, not just versions before 1.2.2 as the advisory states.
Our researchers often do deep code reviews up to and including testing exploits in determining the full impact of an issue.
For the record, we are migrating to a new email-based reporting system in order to better mesh with our internal processes, which will allow us to be more reactive to our users.
As such, if you notice further issues or would like to follow up on this one, please email ossindex@sonatype.org
Vulnerability URL
Component URL
Description CVE-2021-3447 is reported for every Ansible version, including the latest. However, the linked CVE says it's only for Ansible versions up to 1.2.2. The linked Ansible Github issues say it's for Ansible 2.8/2.9, so they seem to be for a different vuln. Either way, recent versions of Ansible do not contain this CVE.