CVE-2020-10698

CWE-200 — Information Exposure5 documents5 sources

Severity

3.3LOW

EPSS

0.0%

top 87.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Tower

Timeline

PublishedMay 27

Latest updateMay 24

Description

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled. This flaw affects Ansible Tower versions before 3.6.4, Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶NVDredhat/ansible_tower3.5.0 — 3.5.6+2

▶CVEListV5toweransible_tower 3.6.4, ansible_tower 3.5.6, ansible_tower 3.4.6

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-j574-xrvq-v9wf: A flaw was found in Ansible Tower when running jobs↗2022-05-24

▶

CVEList

CVE-2020-10698: A flaw was found in Ansible Tower when running jobs↗2021-05-27

▶

📋Vendor Advisories

Red Hat

Tower: normal users can intercept stdout from jobs running in other organizations↗2020-03-27

▶

💬Community

Bugzilla

CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in other organizations↗2020-03-30

▶