Main Vulnerability Database Vulnerabilities #VU24220

#VU24220 Improper access control in Ansible Tower - CVE-2019-19340

Published: January 13, 2020

Vulnerability identifier: #VU24220

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2019-19340

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ansible Tower

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in Ansible Tower, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19340

#VU24220 Improper access control in Ansible Tower - CVE-2019-19340

Description

Remediation

External links

Please verify you're human