Search Results (Refine Search)
- Keyword (text search): cpe:2.3:a:redhat:ansible_tower:-:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2019-3869 |
When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges. Published: March 28, 2019; 10:29:00 AM -0400 |
V4.0:(not available) V3.1: 7.2 HIGH V2.0: 4.0 MEDIUM |
CVE-2018-16879 |
Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files. Published: January 03, 2019; 9:29:00 AM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2016-7070 |
A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database. Published: September 11, 2018; 9:29:00 AM -0400 |
V4.0:(not available) V3.0: 8.0 HIGH V2.0: 5.2 MEDIUM |
CVE-2017-7528 |
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). Published: August 22, 2018; 12:29:03 PM -0400 |
V4.0:(not available) V3.0: 6.5 MEDIUM V2.0: 3.3 LOW |
CVE-2017-12148 |
A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. Published: July 27, 2018; 12:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.2 HIGH V2.0: 9.0 HIGH |
CVE-2018-1104 |
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. Published: May 02, 2018; 3:29:00 PM -0400 |
V4.0:(not available) V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-1101 |
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system. Published: May 02, 2018; 2:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |