Lucene search

[email protected]CVE-2019-19341

HistoryDec 19, 2019 - 9:15 p.m.

CVE-2019-19341

2019-12-1921:15:14

CWE-732

[email protected]

web.nvd.nist.gov

123

cve-2019-19341

ansible tower

data breach

unauthorized access

security vulnerability

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

5.5 Medium

AI Score

Confidence

High

2.1 Low

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

12.6%

JSON

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in ‘/var/backup/tower’ are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.

Affected configurations

Vulners

NVD

Node

redhatansible_towerRange3.6.0–3.6.2

VendorProductVersionCPE
redhatansible_tower*cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	ansible_tower	*	cpe:2.3:a:redhat:ansible_tower::::::::

CNA Affected

[
  {
    "product": "Tower",
    "vendor": "RedHat",
    "versions": [
      {
        "status": "affected",
        "version": "all ansible_tower versions 3.6.x before 3.6.2"
      }
    ]
  }
]