CVE-2016-7070 — Incorrect Privilege Assignment in Redhat Ansible Tower

CWE-266 — Incorrect Privilege Assignment CWE-2645 documents5 sources

Severity

8.0HIGHNVD

EPSS

0.1%

top 75.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Tower RED HAT Ansible Tower

Timeline

PublishedSep 11

Latest updateMay 13

Description

A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages2 packages

▶NVDredhat/ansible_tower< 3.0.3

▶CVEListV5red_hat/ansible_tower3.0.3

🔴Vulnerability Details

GHSA

GHSA-674g-jv56-24mf: A privilege escalation flaw was found in the Ansible Tower↗2022-05-13

▶

CVEList

CVE-2016-7070: A privilege escalation flaw was found in the Ansible Tower↗2018-09-11

▶

📋Vendor Advisories

Red Hat

Tower: PostgreSQL privilege escalation in Tower-deployed setups↗2016-11-02

▶

💬Community

Bugzilla

CVE-2016-7070 Ansible Tower: PostgreSQL privilege escalation in Tower-deployed setups↗2018-09-11

▶