CVE-2020-14337

CWE-2095 documents5 sources

Severity

5.8MEDIUM

EPSS

0.9%

top 24.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Tower

Timeline

PublishedJul 31

Latest updateMay 24

Description

A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ansible_towerAnsible Tower 3.7.1 as well as previous versions are affected.

▶NVDredhat/ansible_tower3.0.0

🔴Vulnerability Details

GHSA

GHSA-p8pw-f2qh-mrc2: A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes↗2022-05-24

▶

CVEList

CVE-2020-14337: A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes↗2020-07-31

▶

📋Vendor Advisories

Red Hat

Tower: Named URLs allow for testing the presence or absence of objects↗2020-07-29

▶

💬Community

Bugzilla

CVE-2020-14337 Tower: Named URLs allow for testing the presence or absence of objects↗2020-07-21

▶