Page 8 of 40 results (0.016 seconds)

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database. Se ha encontrado un error de escalado de privilegios en Ansible Tower. Cuando Tower en versiones anteriores a la 3.0.3 despliega una base de datos PostgreSQL, configura incorrectamente el nivel de confianza del usuario postgres. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7070 https://docs.ansible.com/ansible-tower/3.0.3/html/upgrade-migration-guide/release_notes.html • CWE-264: Permissions, Privileges, and Access Controls CWE-266: Incorrect Privilege Assignment •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie. Ansible Tower en versiones anteriores a la 3.1.8 y 3.2.6 es vulnerable a Cross-Site Request Forgery (CSRF) en awx/api/authentication.py. Un atacante podría explotarlo engañando a usuarios ya autenticados para que visiten un sitio malicioso y secuestren la cookie autenticada. • http://www.securityfocus.com/bid/105136 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10884 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. Ansible Tower hasta la versión 3.2.3 tiene una vulnerabilidad que permite que usuarios que solo tienen acceso para definir variables para una plantilla de trabajo ejecuten código arbitrario en el servidor Tower. • https://access.redhat.com/errata/RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1972 https://access.redhat.com/security/cve/cve-2018-1104 https://bugzilla.redhat.com/show_bug.cgi?id=1565862 https://www.ansible.com/security https://access.redhat.com/security/cve/CVE-2018-1104 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 0

Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system. Ansible Tower en versiones anteriores a la 3.2.4 tiene un error en la gestión de administradores de sistema y organización que permite el escalado de privilegios. Los administradores de organización pueden restablecer la contraseña de los administradores de sistema que son miembros de organizaciones, lo que permite que los administradores de organización accedan a todo el sistema. Ansible Tower, before version 3.2.4, has a flaw in the management of system and organization administrators that allows for privilege escalation. • https://access.redhat.com/errata/RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1972 https://access.redhat.com/security/cve/cve-2018-1101 https://bugzilla.redhat.com/show_bug.cgi?id=1563492 https://www.ansible.com/security https://access.redhat.com/security/cve/CVE-2018-1101 • CWE-266: Incorrect Privilege Assignment CWE-521: Weak Password Requirements •

CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0

A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. Se ha encontrado un fallo en la interfaz de Ansible Tower en versiones anteriores a la 3.1.5 y 3.2.0 con repositorios SCM. Si la definición de un proyecto de Tower (repositorio SCM) no tiene el flag "delete before update" marcado, un atacante con acceso commit al repositorio de origen del playbook upstream podría crear un playbook troyano que, cuando es ejecutado por Tower, modifique el repositorio SCM comprobado para añadiir hooks git. • https://access.redhat.com/errata/RHSA-2017:3005 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12148 https://access.redhat.com/security/cve/CVE-2017-12148 https://bugzilla.redhat.com/show_bug.cgi?id=1485474 • CWE-20: Improper Input Validation •