CVE-2019-3869Invocation of Process Using Visible Sensitive Information in Redhat Ansible Tower

CWE-214Invocation of Process Using Visible Sensitive InformationCWE-200Sensitive Information Exposure5 documents5 sources
Severity
7.2HIGHNVD
EPSS
0.3%
top 44.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat Ansible TowerRED HAT Tower
Timeline
PublishedMar 28
Latest updateMay 13

Description

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDredhat/ansible_tower3.4.03.4.3+1
CVEListV5red_hat/tower3.3.5, 3.4.3+1

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

2
GHSA
GHSA-9qmx-gcjw-jrg2: When running Tower before 32022-05-13
CVEList
CVE-2019-3869: When running Tower before 32019-03-28

📋Vendor Advisories

1
Red Hat
Tower: credentials leaked through environment variables2019-03-26

💬Community

1
Bugzilla
CVE-2019-3869 Tower: credentials leaked through environment variables2019-03-13
CVE-2019-3869 — Redhat Ansible Tower vulnerability | cvebase