PT-2019-15817 · Red Hat+1 · Ansible Tower+1
Published
2019-12-19
·
Updated
2020-05-21
·
CVE-2019-19342
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Ansible Tower versions 3.5.x through 3.5.3
Ansible Tower versions 3.6.x through 3.6.1
Description
A flaw in Ansible Tower causes a socket error in RabbitMQ when the
/websocket endpoint is requested with a password containing the # character. This results in an HTTP error code 500 and partial password disclosure in plaintext. An attacker could guess predictable passwords or brute force the password.Recommendations
For Ansible Tower versions 3.5.x through 3.5.3, update to version 3.5.4 or later.
For Ansible Tower versions 3.6.x through 3.6.1, update to version 3.6.2 or later.
As a temporary workaround, consider avoiding the use of the
# character in passwords until a patch is applied.Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ansible Tower
Rabbitmq