Red Hat Ansible Tower vulnerabilities

CVE-2020-10782 [MEDIUM] CWE-200 CVE-2020-10782: An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.

CVE-2016-7070 [HIGH] CWE-266 CVE-2016-7070: A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a Postgr A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database.

CVE-2017-7528 [MEDIUM] CWE-113 CVE-2017-7528: Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback).

CVE-2017-12148 [HIGH] CWE-20 CVE-2017-12148: A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tow A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM