CVE-2019-19341

CWE-732Incorrect Permission Assignment5 documents5 sources
Severity
5.5MEDIUM
EPSS
0.0%
top 86.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Ansible TowerRedhat Tower
Timeline
PublishedDec 19
Latest updateMay 24

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

NVDredhat/ansible_tower3.6.03.6.2
CVEListV5redhat/towerall ansible_tower versions 3.6.x before 3.6.2

🔴Vulnerability Details

2
GHSA
GHSA-jx7q-9m4v-jj44: A flaw was found in Ansible Tower, versions 32022-05-24
CVEList
CVE-2019-19341: A flaw was found in Ansible Tower, versions 32019-12-19

📋Vendor Advisories

1
Red Hat
Tower: intermediate files during Tower backup are world-readable2019-12-14

💬Community

1
Bugzilla
CVE-2019-19341 Tower: intermediate files during Tower backup are world-readable2019-12-12
CVE-2019-19341 (MEDIUM CVSS 5.5) | A flaw was found in Ansible Tower | cvebase.io