Lucene search

K
redhatcveRedhat.comRH:CVE-2019-19340
HistoryDec 14, 2019 - 12:54 a.m.

CVE-2019-19340

2019-12-1400:54:33
redhat.com
access.redhat.com
14

0.002 Low

EPSS

Percentile

57.5%

A flaw was found in Ansible Tower 3.6.1 and 3.5.3 where enabling RabbitMQ manager by setting it with ‘-e rabbitmq_enable_manager=true’ exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

Mitigation

The issue could be mitigated by limiting the access of the interface to internal trusted networks, limiting the ports open and set the firewall with more restrictive rules. Some of these instructions are already suggested in the Ansible Tower documentation as part of the Ansible Tower Administration Guide. Issue could be also mitigated by deleting the guest default user by running the command "rabbitmqctl delete_user guest".

0.002 Low

EPSS

Percentile

57.5%