Environment Variable Exposure in Ansible Tower on OpenShift and Kubernetes
CVE-2019-3869

7.2HIGH

Key Information:

Vendor: Red Hat
Status: Tower
Vendor: CVE Published:; 28 March 2019

Summary

Ansible Tower versions before 3.4.3, when deployed on OpenShift or Kubernetes, expose sensitive application credentials through environment variables during playbook job executions. This flaw allows any malicious user with permission to create or modify playbooks to potentially escalate their privileges, granting them unauthorized access and control over the application.

Affected Version(s)

Tower 3.3.5

Tower 3.4.3

References

https://github.com/ansible/awx/pull/3505

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 28, 2019
Vulnerability Reserved
Jan 3, 2019