Lucene search
RedhatCVELIST:CVE-2024-1657HistoryApr 25, 2024 - 4:28 p.m.
CVE-2024-1657 Ansible automation platform: insecure websocket used when interacting with eda server
2024-04-2516:28:38
CWE-1385
redhat
www.cve.org
cve-2024-1657; ansible platform; websocket; eda server; cidr block; confidentiality; integrity; installation; flaw; attacker; rulebook
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "ansible-automation-platform-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "0:2.4-6.el8ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "ansible-rulebook",
"defaultStatus": "affected",
"versions": [
{
"version": "0:1.0.5-1.el8ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "automation-eda-controller",
"defaultStatus": "affected",
"versions": [
{
"version": "0:1.0.5-1.el8ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "ansible-automation-platform-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "0:2.4-6.el9ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "ansible-rulebook",
"defaultStatus": "affected",
"versions": [
{
"version": "0:1.0.5-1.el9ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "automation-eda-controller",
"defaultStatus": "affected",
"versions": [
{
"version": "0:1.0.5-1.el9ap",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
"cpe:/a:redhat:ansible_automation_platform:2.4::el8",
"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
]
}
]Related
cve
cve
CVE-2024-1657
2024-04-25 17:15:48
nvd
nvd
CVE-2024-1657
2024-04-25 17:15:48
redhatcve
redhatcve
CVE-2024-1657
2024-02-29 17:02:13
nessus
nessus
redhat
redhat
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Related for CVELIST:CVE-2024-1657