CVE-2021-33923
Description
Insecure permissions in Confluent Ansible (cp-ansible) 5.5.0, 5.5.1, 5.5.2 and 6.0.0 allows local attackers to access some sensitive information (private keys, state database).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insecure permissions in Confluent Ansible cp-ansible 5.5.0-6.0.0 allow local attackers to access private keys and state database.
Vulnerability
Confluent Ansible (cp-ansible) versions 5.5.0, 5.5.1, 5.5.2, and 6.0.0 set insecure permissions on sensitive configuration files, including private keys and the state database [2]. This affects default installations of the toolset used to deploy Confluent Platform.
Exploitation
A local attacker with access to the operating system can read the affected files due to overly relaxed permissions [2]. No authentication or additional privileges beyond local user access are required.
Impact
Successful exploitation leads to disclosure of sensitive information, such as private keys and state database contents, which could compromise cryptographic material and lead to further system compromise [2].
Mitigation
The vulnerability is fixed in cp-ansible versions 5.5.3 and 6.0.1, released in December 2020 [2]. Users should upgrade to these or later versions. No workaround is available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Confluent/cp-ansibledescription
- Range: 5.5.0, 5.5.1, 5.5.2, 6.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"cp-ansible sets overly permissive file permissions on sensitive local configuration files (private keys, state database) during deployment."
Attack vector
A local attacker with a rogue operating system user account can read sensitive files (private keys, state database) because cp-ansible sets overly relaxed permissions on those files during installation [ref_id=1]. No network-based exploitation is required; the attacker must already have local access to the host where Confluent Platform components are deployed via cp-ansible [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names. It states that cp-ansible versions prior to 5.5.3 and 6.0.1 set insecure permissions on "sensitive local configuration files" including private keys and the state database [ref_id=1].
What the fix does
The advisory states the fix is included in cp-ansible versions 5.5.3 and 6.0.1, released in December 2020 [ref_id=1]. No patch diff is provided in the bundle; the remediation guidance is to update existing installations to these versions, which tighten the permissions on sensitive local configuration files [ref_id=1].
Preconditions
- authAttacker must have local operating system user access to the host running Confluent Platform components deployed by cp-ansible.
- configThe host must be running a vulnerable cp-ansible version (5.5.0, 5.5.1, 5.5.2, or 6.0.0).
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- confluent.iomitrex_refsource_MISC
- www.detack.de/en/cve-2021-33923mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.