Main Vulnerability Database SB2018091112

SB2018091112 - Permissions, Privileges, and Access Controls in Ansible Tower

Published: September 11, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018091112

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-7070)

The vulnerability allows a remote authenticated user to execute arbitrary code.

A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.

Remediation

Install update from vendor's website.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7070
https://docs.ansible.com/ansible-tower/3.0.3/html/upgrade-migration-guide/release_notes.html