CVE-2019-3869

7.2HIGH

Key Information:

Vendor: Red Hat
Status: Tower
Vendor: CVE Published:; 28 March 2019

Summary

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.

Affected Version(s)

Tower 3.3.5

Tower 3.4.3

References

https://github.com/ansible/awx/pull/3505

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 28, 2019
Vulnerability Reserved
Jan 3, 2019