CVE-2019-14890

Name of the Vulnerable Software and Affected Versions Ansible Tower versions prior to 3.6.1

Description A vulnerability allows an attacker with low privilege to retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database. This issue is related to the unencrypted storage of sensitive information in the /api/v2/config endpoint. Exploitation of this issue may allow an attacker to gain unauthorized access to application user passwords.

Recommendations For Ansible Tower versions prior to 3.6.1, update to version 3.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/v2/config endpoint to minimize the risk of exploitation. Avoid using the RHSM credentials in the affected API endpoint until the issue is resolved.