Lucene search

[email protected]CVE-2020-14337

HistoryJul 31, 2020 - 1:15 p.m.

CVE-2020-14337

2020-07-3113:15:12

CWE-209

[email protected]

web.nvd.nist.gov

cve

2020

14337

data exposure

tower

http

error codes

remote attacker

data confidentiality

vulnerability

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

5.6 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality.

CPE configuration

Vulners

NVD

ansibletowerRange≤3.7.1

VendorProductVersionCPE
ansibletower*cpe:2.3:a:ansible:tower:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ansible	tower	*	cpe:2.3:a:ansible:tower::::::::

CNA Affected

[
  {
    "product": "Ansible Tower",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Ansible Tower 3.7.1 as well as previous versions are affected."
      }
    ]
  }
]