CVE-2024-1657

CVSS v2.0

9.4

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions Ansible Automation Platform (affected versions not specified)

Description A flaw in the Ansible automation platform was found, related to an insecure WebSocket connection used during installation from the Ansible rulebook EDA server. This issue could allow an attacker with access to any machine in the CIDR block to download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system. The vulnerability is also related to the lack of origin checking in WebSockets due to incorrect channel restriction, which could allow a remote attacker to gain unauthorized access to protected information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Cleartext Transmission of Sensitive Information

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-923CWE-200CWE-1385

Related Identifiers

BDU:2024-01785

CVE-2024-1657

RHSA-2024:1057

Affected Products

Ansible Automation Platform

CVE-2024-1657

Weakness Enumeration

Related Identifiers

Affected Products

References · 7