CVE-2019-19340

Published: Dec 19, 2019Modified: Nov 21, 2024

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Exploitability: 3.9 / Impact: 4.2

Source: NVD

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

Affected (3)

Products: Redhat: Ansible Tower, Enterprise Linux

2 products

Enterprise Linux

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Tower	From 3.5.0 to 3.5.3
Redhat Ansible Tower	From 3.6.0 to 3.6.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0

Related CWEs

Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19340

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19340

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.