CVE Vulnerability

CVE-2018-16879

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.

7.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16879 Issue Tracking Vendor Advisory
http://www.securityfocus.com/bid/106310 Broken Link Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Information

Published : 2019-01-03 02:29

Updated : 2023-02-03 02:12

NVD link : CVE-2018-16879

Mitre link : CVE-2018-16879

Products Affected
No products.
CWE
CWE-311

Missing Encryption of Sensitive Data