Main Vulnerability Database SB2018072714

SB2018072714 - Input validation error in Ansible Tower

Published: July 27, 2018 Updated: July 17, 2020

Security Bulletin ID SB2018072714

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2017-12148)

The vulnerability allows a remote privileged user to execute arbitrary code.

A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as.

Remediation

Install update from vendor's website.

SB2018072714 - Input validation error in Ansible Tower

Breakdown by Severity

Description

Remediation

References

Please verify you're human