CVE-2020-10697

CWE-862 — Missing Authorization CWE-400 — Uncontrolled Resource Consumption5 documents5 sources

Severity

4.4MEDIUM

EPSS

0.0%

top 87.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Tower

Timeline

PublishedMay 27

Latest updateMay 24

Description

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denial of service attack. This attack would not completely stop the service, but in the worst-case scenario, it can reduce the Tower performance, for which memcached is designed. Theoretically, more sophisticated attacks can be performed by manipulating and crafting the cache, as Tower relies on memcached…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages2 packages

▶NVDredhat/ansible_tower3.5.0 — 3.5.6+2

▶CVEListV5toweransible_tower 3.6.4, ansible_tower 3.5.6, ansible_tower 3.4.6

🔴Vulnerability Details

GHSA

GHSA-rhg6-3qw6-38pp: A flaw was found in Ansible Tower when running Openshift↗2022-05-24

▶

CVEList

CVE-2020-10697: A flaw was found in Ansible Tower when running Openshift↗2021-05-27

▶

📋Vendor Advisories

Red Hat

Tower: memcached deployment is insecure on OpenShift↗2020-03-29

▶

💬Community

Bugzilla

CVE-2020-10697 Tower: memcached deployment is insecure on OpenShift↗2020-03-28

▶