CVE-2021-3702: 
Python vulnerability analysis and mitigation

A race condition vulnerability was identified in ansible-runner, tracked as CVE-2021-3702. The vulnerability allows an attacker to watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and subsequently gain access to ansible-runner's private_data_dir when ansible-runner makes use of it again (CVE Mitre, Red Hat Bugzilla).

The vulnerability stems from insecure handling of temporary directories in ansible-runner. The issue was discovered in the code that manages the creation and deletion of temporary directories, specifically affecting the private_data_dir functionality. The vulnerability was fixed through a patch that implemented secure temporary file handling using mkdtemp() (GitHub Commit).

The highest threat from this vulnerability is to integrity and confidentiality. An attacker who successfully exploits this vulnerability could gain unauthorized access to ansible-runner's private_data_dir, potentially exposing sensitive information (CVE Mitre).

The vulnerability was fixed before ansible-runner 2.0 was published. The fix was implemented through a pull request that was back-ported to release_2.0 before it went GA. Notably, version 1.4 and earlier versions did not contain this vulnerable code, meaning no released version of runner was actually impacted (Red Hat Bugzilla).