Lucene search

[email protected]NVD:CVE-2021-20253

HistoryMar 09, 2021 - 6:15 p.m.

CVE-2021-20253

2021-03-0918:15:15

CWE-552

[email protected]

web.nvd.nist.gov

ansible-tower

job isolation escape

privilege elevation

awx user

data confidentiality

integrity

system availability

CVSS2

3.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:S/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

12.6%

JSON

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected configurations

Nvd

Node

redhatansible_towerRange<3.6.7

redhatansible_towerRange3.7.0–3.7.5

redhatansible_towerRange3.8.0–3.8.2

References

bugzilla.redhat.com/show_bug.cgi?id=1928847

CVSS2

3.5

Attack Vector

LOCAL

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:H/Au:S/C:P/I:P/A:P

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS

Percentile

12.6%

JSON

Related for NVD:CVE-2021-20253

cvelist1 cve1 redhatcve1 prion1 redhat3