Lucene search

K
redhatcveRedhat.comRH:CVE-2019-19340
HistoryDec 14, 2019 - 12:54 a.m.

CVE-2019-19340

2019-12-1400:54:33
redhat.com
access.redhat.com
14

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

57.4%

A flaw was found in Ansible Tower 3.6.1 and 3.5.3 where enabling RabbitMQ manager by setting it with ‘-e rabbitmq_enable_manager=true’ exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

Mitigation

The issue could be mitigated by limiting the access of the interface to internal trusted networks, limiting the ports open and set the firewall with more restrictive rules. Some of these instructions are already suggested in the Ansible Tower documentation as part of the Ansible Tower Administration Guide. Issue could be also mitigated by deleting the guest default user by running the command "rabbitmqctl delete_user guest".

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.002 Low

EPSS

Percentile

57.4%