CVE-2019-14890

CWE-312 — Cleartext Storage of Sensitive Info5 documents5 sources

Severity

8.4HIGH

EPSS

0.0%

top 93.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

[unknown] Tower Redhat Ansible Tower

Timeline

PublishedNov 26

Latest updateMay 24

Description

A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:NExploitability: 2.0 | Impact: 5.8

Affected Packages2 packages

▶NVDredhat/ansible_tower3.6.0

▶CVEListV5[unknown]/tower3.6.1

🔴Vulnerability Details

GHSA

GHSA-785w-m3xw-jfp8: An attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/↗2022-05-24

▶

CVEList

CVE-2019-14890: A vulnerability was found in Ansible Tower before 3↗2019-11-26

▶

📋Vendor Advisories

Red Hat

Tower: RHSM username and password exposed after license application↗2019-11-25

▶

💬Community

Bugzilla

CVE-2019-14890 Tower: RHSM username and password exposed after license application↗2019-11-18

▶