PT-2021-9715 · Red Hat · Ansible Tower
Borja Tarraso
+1
·
Published
2021-05-27
·
Updated
2021-06-07
·
CVE-2020-14328
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Ansible Tower versions prior to 3.7.2
Description
A Server Side Request Forgery flaw can be abused by supplying a URL, which could lead to the server processing it and connecting to internal services or exposing additional internal services. In case of an error, this could result in retrieving full details, posing the highest threat to data confidentiality.
Recommendations
For versions prior to 3.7.2, update to version 3.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to internal services and limiting the ability to supply URLs that could be used to exploit the Server Side Request Forgery flaw.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ansible Tower