CVE-2018-1104

CWE-20 — Improper Input Validation CWE-94 — Code Injection5 documents5 sources

Severity

8.8HIGH

EPSS

0.4%

top 38.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Tower RED Hat, Inc. Ansible Tower Redhat Cloudforms

Timeline

PublishedMay 2

Latest updateMay 13

Description

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDredhat/ansible_tower3.2.3

▶CVEListV5red_hat,_inc./ansible_towerthrough version 3.2.3

▶NVDredhat/cloudforms4.5, 4.6+1

🔴Vulnerability Details

GHSA

GHSA-4839-8mxx-4xr9: Ansible Tower through version 3↗2022-05-13

▶

CVEList

CVE-2018-1104: Ansible Tower through version 3↗2018-05-02

▶

📋Vendor Advisories

Red Hat

ansible-tower: Remote code execution by users with access to define variables in job templates↗2018-04-27

▶

💬Community

Bugzilla

CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates↗2018-04-11

▶