Описание
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
A flaw was found in ansible-tower. Form validation methods allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, leading to a cross-site request forgery vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ansible-tower | Not affected | ||
| Red Hat Ansible Tower 3 | ansible-tower | Not affected |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
Jenkins Ansible Tower Plugin cross-site request forgery vulnerability
8.8 High
CVSS3