CVE-2020-10698

Опубликовано: 27 мар. 2020

Источник: redhat

CVSS3: 3.2

EPSS Низкий

Описание

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled. This flaw affects Ansible Tower versions before 3.6.4, Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6.

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled.

Отчет

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Меры по смягчению последствий

This issue is possible to mitigate by disabling the stdout from jobs run through the nginx configuration file. However this may affect the usage of Tower as stdout stream would be hidden. To disable the output of running jobs the entire 'location /websocket' block from the nginx configuration (and restarting nginx service) it would be required. Nginx will stop serving /websocket by 404 HTTP code return.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Ansible Tower 3	ansible	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=1818924Tower: normal users can intercept stdout from jobs running in other organizations

EPSS

Процентиль: 12%

0.00041

Низкий

3.2 Low

CVSS3

Связанные уязвимости

CVE-2020-10698

CVSS3: 3.3

nvd

больше 4 лет назад

GHSA-j574-xrvq-v9wf