CVE-2020-14296

Name of the Vulnerable Software and Affected Versions Red Hat CloudForms versions 4.7 through 5

Description The issue is related to a Server-Side Request Forgery (SSRF) flaw. It allows an attacker, with access to add an Ansible Tower provider, to scan and attack systems from the internal network that are not normally accessible. The vulnerability is due to insufficient validation of incoming requests, which can be exploited by a remote attacker to scan the internal network.

Recommendations For Red Hat CloudForms versions 4.7 through 5, consider restricting access to the Ansible Tower provider until a patch is available. As a temporary workaround, consider disabling the functionality that allows adding Ansible Tower providers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.