CVE-2021-20253

CWE-552Files Accessible to External Parties4 documents4 sources
Severity
6.7MEDIUM
EPSS
0.3%
top 48.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible Tower
Timeline
PublishedMar 9
Latest updateMay 24

Description

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDredhat/ansible_tower3.7.03.7.5+2
CVEListV5ansible-toweransible-tower 3.8.2, ansible-tower 3.7.5, ansible-tower 3.6.7

🔴Vulnerability Details

2
GHSA
GHSA-rr45-4xhx-rxc8: A flaw was found in ansible-tower2022-05-24
CVEList
CVE-2021-20253: A flaw was found in ansible-tower2021-03-09

📋Vendor Advisories

1
Red Hat
ansible-tower: Privilege escalation via job isolation escape2021-03-08