Описание
An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1.
An exposure of sensitive information flaw was found in Ansible. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality.
Отчет
- Ansible Tower 3.7.0 is affected.
Меры по смягчению последствий
Setting manual permissions for the rsyslog.conf file to 0640 would mitigate the issue temporarily. However, be aware that every time the Tower services are restarted, the permissions are restored to 644 after some time.
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1.
An exposure of sensitive information flaw was found in Ansible Tower before version 3.7.1. sensitive information such as Splunk tokens could be readable in the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality.
Уязвимость файла конфигурации rsyslog системы управления конфигурациями Ansible, позволющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
6.5 Medium
CVSS3