CVE-2019-19342
Tower: special characters in RabbitMQ passwords causes web socket 500 error
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.
Se encontró un fallo en Ansible Tower, versiones 3.6.x anteriores a 3.6.2 y versiones 3.5.x anteriores a 3.5.4, cuando /websocket es solicitado y la contraseña contiene el carácter "#". Esta petición provocaría un error de socket en RabbitMQ al analizar la contraseña y se producirá un código de error HTTP 500 y una divulgación de contraseña parcial en texto plano. Un atacante podría adivinar fácilmente algunas contraseñas predecibles o llevar a cabo fuerza bruta de la contraseña.
A flaw was found in Ansible Tower 3.6.1 and 3.5.3 when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2019-12-17 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19342 | 2020-05-21 | |
https://access.redhat.com/security/cve/CVE-2019-19342 | 2019-12-16 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1782623 | 2019-12-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Ansible Tower Search vendor "Redhat" for product "Ansible Tower" | >= 3.5.0 < 3.5.4 Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.5.0 < 3.5.4" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Ansible Tower Search vendor "Redhat" for product "Ansible Tower" | >= 3.6.0 < 3.6.2 Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.6.0 < 3.6.2" | - |
Affected
|