(RHSA-2021:0781) Moderate: Red Hat Ansible Automation Platform 1.2.2 security and bug fix update

2021-03-0915:08:01

access.redhat.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.01

Percentile

83.3%

JSON

Red Hat Ansible Automation Platform integrates Red Hat’s automation suite consisting of Red Hat Ansible Tower, Red Hat Ansible Engine, Automation Hub and use-case specific capabilities for Microsoft Windows, network, security, and more, along with Software-as-a-Service (SaaS)-based capabilities and features for organization-wide effectiveness.

This update fixes various bugs and adds enhancements. Documentation for
these changes is available from the Release Notes document linked to in the
References section.

Security Fix(es):

node-notifier: nodejs-node-notifier: command injection due to the options params not being sanitised when being passed an array (CVE-2020-7789)
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
django: Potential directory-traversal via archive.extract() (CVE-2021-3281)
python-pygments: infinite loop in SML lexer may lead to DoS (CVE-2021-20270)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
RedHat7noarchautomation-hub< 4.2.2-1.el7pcautomation-hub-4.2.2-1.el7pc.noarch.rpm
RedHat7noarchpython3-galaxy-ng< 4.2.2-1.el7pcpython3-galaxy-ng-4.2.2-1.el7pc.noarch.rpm
RedHat7noarchpython3-galaxy-importer< 0.2.15-1.el7pcpython3-galaxy-importer-0.2.15-1.el7pc.noarch.rpm
RedHat8noarchpython3-galaxy-ng< 4.2.2-1.el8pcpython3-galaxy-ng-4.2.2-1.el8pc.noarch.rpm
RedHat8noarchpython3-django< 2.2.18-1.el8pcpython3-django-2.2.18-1.el8pc.noarch.rpm
RedHat7noarchpython3-bleach-allowlist< 1.0.3-1.el7pcpython3-bleach-allowlist-1.0.3-1.el7pc.noarch.rpm
RedHat7noarchpython3-pulp-ansible< 0.5.6-1.el7pcpython3-pulp-ansible-0.5.6-1.el7pc.noarch.rpm
RedHat8noarchpython3-pulp-ansible< 0.5.6-1.el8pcpython3-pulp-ansible-0.5.6-1.el8pc.noarch.rpm
RedHat8noarchpython3-bleach< 3.3.0-1.el8pcpython3-bleach-3.3.0-1.el8pc.noarch.rpm
RedHat8noarchautomation-hub< 4.2.2-1.el8pcautomation-hub-4.2.2-1.el8pc.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	7	noarch	automation-hub	< 4.2.2-1.el7pc	automation-hub-4.2.2-1.el7pc.noarch.rpm
RedHat	7	noarch	python3-galaxy-ng	< 4.2.2-1.el7pc	python3-galaxy-ng-4.2.2-1.el7pc.noarch.rpm
RedHat	7	noarch	python3-galaxy-importer	< 0.2.15-1.el7pc	python3-galaxy-importer-0.2.15-1.el7pc.noarch.rpm
RedHat	8	noarch	python3-galaxy-ng	< 4.2.2-1.el8pc	python3-galaxy-ng-4.2.2-1.el8pc.noarch.rpm
RedHat	8	noarch	python3-django	< 2.2.18-1.el8pc	python3-django-2.2.18-1.el8pc.noarch.rpm
RedHat	7	noarch	python3-bleach-allowlist	< 1.0.3-1.el7pc	python3-bleach-allowlist-1.0.3-1.el7pc.noarch.rpm
RedHat	7	noarch	python3-pulp-ansible	< 0.5.6-1.el7pc	python3-pulp-ansible-0.5.6-1.el7pc.noarch.rpm
RedHat	8	noarch	python3-pulp-ansible	< 0.5.6-1.el8pc	python3-pulp-ansible-0.5.6-1.el8pc.noarch.rpm
RedHat	8	noarch	python3-bleach	< 3.3.0-1.el8pc	python3-bleach-3.3.0-1.el8pc.noarch.rpm
RedHat	8	noarch	automation-hub	< 4.2.2-1.el8pc	automation-hub-4.2.2-1.el8pc.noarch.rpm