CVE-2018-16879Missing Encryption of Sensitive Data in Redhat Ansible Tower

CWE-311Missing Encryption of Sensitive Data6 documents6 sources
Severity
9.8CRITICALNVD
EPSS
0.2%
top 54.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible Tower
Timeline
PublishedJan 3
Latest updateJun 14

Description

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
OSV
ncurses vulnerabilities2022-06-14
GHSA
GHSA-xw9p-c763-93fq: Ansible Tower before version 32022-05-13
CVEList
CVE-2018-16879: Ansible Tower before version 32019-01-03

📋Vendor Advisories

1
Red Hat
Tower: security channel is not set properly for AMPQ connection2018-12-20

💬Community

1
Bugzilla
CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection2018-12-11
CVE-2018-16879 — Missing Encryption of Sensitive Data | cvebase