CVE-2018-1101

CWE-266CWE-5216 documents5 sources
Severity
7.2HIGH
EPSS
0.4%
top 37.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat Ansible TowerRED Hat, Inc. Ansible TowerRedhat Cloudforms
Timeline
PublishedMay 2
Latest updateMay 13

Description

Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5red_hat,_inc./ansible_towerbefore 3.2.4
NVDredhat/cloudforms4.5, 4.6+1

🔴Vulnerability Details

2
GHSA
GHSA-hfwp-5v2g-2vvc: Ansible Tower before version 32022-05-13
CVEList
CVE-2018-1101: Ansible Tower before version 32018-05-02

📋Vendor Advisories

1
Red Hat
ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges2018-04-27

💬Community

2
Bugzilla
CVE-2018-1000411 jenkins-plugin-junit: CSRF due to URL not requiring POST requests2018-10-15
Bugzilla
CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privileges2018-04-04
CVE-2018-1101 (HIGH CVSS 7.2) | Ansible Tower before version 3.2.4 | cvebase.io