CVE-2019-19342

Опубликовано: 14 дек. 2019

Источник: redhat

CVSS3: 5.3

Описание

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.

A flaw was found in Ansible Tower 3.6.1 and 3.5.3 when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.

Меры по смягчению последствий

This issue could be mitigated by setting or changing the RabbitMQ passwords without using the specials characters. Complex passwords could still remain or even increase by using unpredictable longer strings. This adds much more entropy rather than just using special characters in shorter strings.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
CloudForms Management Engine 5	ansible-tower	Not affected
Red Hat Ansible Tower 3.5 for RHEL 7	ansible-tower-35/ansible-tower	Fixed	RHSA-2019:4242	16.12.2019
Red Hat Ansible Tower 3.6 for RHEL 7	ansible-tower-36/ansible-tower	Fixed	RHSA-2019:4243	16.12.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-209

https://bugzilla.redhat.com/show_bug.cgi?id=1782623Tower: special characters in RabbitMQ passwords causes web socket 500 error

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2019-19342

CVSS3: 5.3

nvd

около 6 лет назад

GHSA-85r5-c7pw-c69h

CVSS3: 5.3

github

больше 3 лет назад

5.3 Medium

CVSS3