CVE-2021-4112 — Files or Directories Accessible to External Parties in Redhat Ansible Automation Platform

CWE-552 — Files or Directories Accessible to External Parties4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 69.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Automation Platform Redhat Ansible Automation Platform Early Access Redhat Ansible Tower

Timeline

PublishedAug 25

Latest updateAug 26

Description

A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0

Affected Packages3 packages

▶NVDredhat/ansible_tower3.0

▶NVDredhat/ansible_automation_platform2.0, 2.1+1

▶NVDredhat/ansible_automation_platform_early_access2.0

🔴Vulnerability Details

GHSA

GHSA-2q78-vv73-5vr2: A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape↗2022-08-26

▶

CVEList

CVE-2021-4112: A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape↗2022-08-25

▶

📋Vendor Advisories

Red Hat

ansible-tower: Privilege escalation via job isolation escape↗2021-12-01

▶