CVE-2020-14327

Name of the Vulnerable Software and Affected Versions Ansible Tower versions prior to 3.6.5 Ansible Tower versions prior to 3.7.2

Description A Server-side request forgery (SSRF) flaw was found in Ansible Tower. The flaw is exploited by supplying a URL that could lead to the server processing it, allowing the connection to internal services or the exposure of additional internal services. This is achieved by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response.

Recommendations For versions prior to 3.6.5, update to version 3.6.5 or later. For versions prior to 3.7.2, update to version 3.7.2 or later. As a temporary workaround, consider restricting access to the test feature of lookup credentials to minimize the risk of exploitation.