Main Vulnerability Database Vulnerabilities #VU24221

Resource management error in Ansible Tower - CVE-2019-19342

Published: January 13, 2020

Vulnerability identifier: #VU24221

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-19342

CWE-ID: CWE-399

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible Tower

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to error handling issue in Ansible Tower, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.

How to mitigate CVE-2019-19342

Install updates from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19342

Resource management error in Ansible Tower - CVE-2019-19342

Detailed vulnerability description

How to mitigate CVE-2019-19342

Sources

Please verify you're human