CVE-2019-3869
Tower: credentials leaked through environment variables
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.
Al ejecutar Tower, en versiones anteriores a la 3.4.3 en OpenShift o Kubernetes, las credenciales de aplicación se exponen a ejecuciones "playbook job" mediante variables de entorno. Un usuario malicioso capacitado para escribir playbooks podrÃa utilizar esto para ganar privilegios de administrador.
When running Tower on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2019-03-28 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-214: Invocation of Process Using Visible Sensitive Information
CAPEC
References (4)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869 | 2020-05-21 | |
https://github.com/ansible/awx/pull/3505 | 2020-05-21 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2019-3869 | 2019-04-23 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1688508 | 2019-04-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Ansible Tower Search vendor "Redhat" for product "Ansible Tower" | < 3.3.5 Search vendor "Redhat" for product "Ansible Tower" and version " < 3.3.5" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Ansible Tower Search vendor "Redhat" for product "Ansible Tower" | >= 3.4.0 < 3.4.3 Search vendor "Redhat" for product "Ansible Tower" and version " >= 3.4.0 < 3.4.3" | - |
Affected
|