A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with…
redhat·CWE-1188·Published 2019-12-19
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.
Se encontró un fallo en Ansible Tower, versiones 3.6.x anteriores a 3.6.2 y versiones 3.5.x anteriores a 3.5.3, donde habilitar el administrador de RabbitMQ configurándolo con "-e rabbitmq_enable_manager=true" expone la interfaz de administración de RabbitMQ públicamente, como era esperado. Si el usuario administrador predeterminado aún está activo, un atacante podría adivinar la contraseña y conseguir acceso al sistema.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.4 | 10.0 | 4.9 | AV:N/AC:L/Au:N/C:P/I:N/A:P |
| 3.0 | Primary | cve.org | 8.2 | — | — | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| 3.0 | Primary | cve.org | 8.2 | — | — | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| 3.0 | Secondary | NVD | 8.2 | 3.9 | 4.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |
| 3.1 | Primary | NVD | 8.2 | 3.9 | 4.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L |