CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1104 – ansible-tower: Remote code execution by users with access to define variables in job templates
https://notcve.org/view.php?id=CVE-2018-1104
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. Ansible Tower hasta la versión 3.2.3 tiene una vulnerabilidad que permite que usuarios que solo tienen acceso para definir variables para una plantilla de trabajo ejecuten código arbitrario en el servidor Tower. • https://access.redhat.com/errata/RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1972 https://access.redhat.com/security/cve/cve-2018-1104 https://bugzilla.redhat.com/show_bug.cgi?id=1565862 https://www.ansible.com/security https://access.redhat.com/security/cve/CVE-2018-1104 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1101 – ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges
https://notcve.org/view.php?id=CVE-2018-1101
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system. Ansible Tower en versiones anteriores a la 3.2.4 tiene un error en la gestión de administradores de sistema y organización que permite el escalado de privilegios. Los administradores de organización pueden restablecer la contraseña de los administradores de sistema que son miembros de organizaciones, lo que permite que los administradores de organización accedan a todo el sistema. Ansible Tower, before version 3.2.4, has a flaw in the management of system and organization administrators that allows for privilege escalation. • https://access.redhat.com/errata/RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1972 https://access.redhat.com/security/cve/cve-2018-1101 https://bugzilla.redhat.com/show_bug.cgi?id=1563492 https://www.ansible.com/security https://access.redhat.com/security/cve/CVE-2018-1101 • CWE-266: Incorrect Privilege Assignment CWE-521: Weak Password Requirements •
CVSS: 9.8EPSS: 4%CPEs: 23EXPL: 2CVE-2018-7750 – Paramiko 2.4.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2018-7750
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. transport.py en la implementación del servidor SSH de Paramiko, en versiones anteriores a la 1.17.6; versiones 1.18.x anteriores a la 1.18.5; versiones 2.0.x anteriores a la 2.0.8; versiones 2.1.x anteriores a la 2.1.5; versiones 2.2.x anteriores a la 2.2.3; versiones 2.3.x anteriores a la 2.3.2 y versiones 2.4.x anteriores a la 2.4.1, no comprueba adecuadamente si la autenticación se ha completado antes de procesar otras peticiones, tal y como demuestra channel-open. Un cliente SSH personalizado puede simplemente omitir el paso de autenticación. It was found that when acting as an SSH server, paramiko did not properly check whether authentication is completed before processing other requests. A customized SSH client could use this to bypass authentication when accessing any resources controlled by paramiko. • https://www.exploit-db.com/exploits/45712 https://github.com/jm33-m0/CVE-2018-7750 http://www.securityfocus.com/bid/103713 https://access.redhat.com/errata/RHSA-2018:0591 https://access.redhat.com/errata/RHSA-2018:0646 https://access.redhat.com/errata/RHSA-2018:1124 https://access.redhat.com/errata/RHSA-2018:1125 https://access.redhat.com/errata/RHSA-2018:1213 https://access.redhat.com/errata/RHSA-2018:1274 https://access.redhat.com/errata/RHSA-2018:1328 https:&#x • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-12191 – CFME: VMRC plugin console grants users administrative access
https://notcve.org/view.php?id=CVE-2017-12191
A flaw was found in the CloudForms account configuration when using VMware. By default, a shared account is used that has privileged access to VMRC (VMWare Remote Console) functions that may not be appropriate for users of CloudForms (and thus this account). An attacker could use this vulnerability to view and make changes to settings in the VMRC and virtual machines controlled by it that they should not have access to. Se ha encontrado un error en la configuración de cuentas CloudForms al emplear VMware. Por defecto, se emplea una cuenta compartida con acceso privilegiado a funciones VMRC (VMWare Remote Console) que tal vez no sean apropiadas para usuarios de CloudForms (y, por lo tanto, esta cuenta). • https://access.redhat.com/errata/RHSA-2018:0374 https://bugzilla.redhat.com/show_bug.cgi?id=1500517 https://access.redhat.com/security/cve/CVE-2017-12191 • CWE-284: Improper Access Control CWE-613: Insufficient Session Expiration •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2017-12148 – Tower: modification of git hooks in SCM repo via upstream playbook execution
https://notcve.org/view.php?id=CVE-2017-12148
A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. Se ha encontrado un fallo en la interfaz de Ansible Tower en versiones anteriores a la 3.1.5 y 3.2.0 con repositorios SCM. Si la definición de un proyecto de Tower (repositorio SCM) no tiene el flag "delete before update" marcado, un atacante con acceso commit al repositorio de origen del playbook upstream podría crear un playbook troyano que, cuando es ejecutado por Tower, modifique el repositorio SCM comprobado para añadiir hooks git. • https://access.redhat.com/errata/RHSA-2017:3005 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12148 https://access.redhat.com/security/cve/CVE-2017-12148 https://bugzilla.redhat.com/show_bug.cgi?id=1485474 • CWE-20: Improper Input Validation •