Insecure WebSocket Connection in Ansible Rulebook EDA Server Exposes System Data
CVE-2024-1657
8.1HIGH
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Ansible Automation Platform 2.4 For Rhel 8
- Red Hat Ansible Automation Platform 2.4 For Rhel 9
- Vendor
- CVE Published:
- 25 April 2024
Summary
A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.
Affected Version(s)
Red Hat Ansible Automation Platform 2.4 for RHEL 8 <= 0:2.4-6.el8ap
Red Hat Ansible Automation Platform 2.4 for RHEL 8 <= 0:1.0.5-1.el8ap
Red Hat Ansible Automation Platform 2.4 for RHEL 8 <= 0:1.0.5-1.el8ap
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: null to: 8.1 - (HIGH)
Vulnerability published.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database