Information disclosure in Ansible Tower

#VU31137 Information disclosure in Ansible Tower

Cybersecurity Help s.r.o.

Published: 2019-03-28 | Updated: 2020-07-17

Vulnerability identifier: #VU31137

Vulnerability risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-3869

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ansible Tower
Web applications / Remote management & hosting panels

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ansible Tower: 3.4.0 - 3.4.2

External links
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869
http://github.com/ansible/awx/pull/3505

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Ansible Tower