CVE-2019-19341

Опубликовано: 14 дек. 2019

Источник: redhat

CVSS3: 5.9

Описание

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.

A flaw was found in Ansible Tower 3.6.1 and 3.5.3 where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.

Отчет

Red Hat CloudForms 4.7 (5.10) release is not affected, because we do not run Ansible Tower backups from CloudForms.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5	ansible-tower	Not affected
Red Hat Ansible Tower 3.5 for RHEL 7	ansible-tower-35/ansible-tower	Fixed	RHSA-2019:4242	16.12.2019
Red Hat Ansible Tower 3.6 for RHEL 7	ansible-tower-36/ansible-tower	Fixed	RHSA-2019:4243	16.12.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-732

https://bugzilla.redhat.com/show_bug.cgi?id=1782625Tower: intermediate files during Tower backup are world-readable

5.9 Medium

CVSS3

Связанные уязвимости

CVE-2019-19341

CVSS3: 5.5

nvd

около 6 лет назад

GHSA-jx7q-9m4v-jj44

CVSS3: 5.5

github

больше 3 лет назад

5.9 Medium

CVSS3