- Issued:
- 2021-03-09
- Updated:
- 2021-03-09
RHSA-2021:0778 - Security Advisory
Synopsis
Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update
Type/Severity
Security Advisory: Important
Topic
Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253
- Upgraded to a more recent version of nginx to address CVE-2019-20372
- Upgraded to a more recent version of autobahn to address CVE-2020-35678
- Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
- Red Hat Ansible Automation Platform Text-Only Advisories for RHEL 7 x86_64
Fixes
- BZ - 1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page
- BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
- BZ - 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
- BZ - 1911314 - CVE-2020-35678 python-autobahn: allows redirect header injection
- BZ - 1928847 - CVE-2021-20253 ansible-tower: Privilege escalation via job isolation escape
CVEs
- CVE-2016-5766
- CVE-2018-20843
- CVE-2019-11719
- CVE-2019-11727
- CVE-2019-11756
- CVE-2019-12749
- CVE-2019-14866
- CVE-2019-15903
- CVE-2019-17006
- CVE-2019-17023
- CVE-2019-17498
- CVE-2019-19956
- CVE-2019-20372
- CVE-2019-20388
- CVE-2019-20907
- CVE-2020-1971
- CVE-2020-6829
- CVE-2020-7595
- CVE-2020-8177
- CVE-2020-10543
- CVE-2020-10878
- CVE-2020-11022
- CVE-2020-11023
- CVE-2020-12243
- CVE-2020-12400
- CVE-2020-12401
- CVE-2020-12402
- CVE-2020-12403
- CVE-2020-12723
- CVE-2020-35678
- CVE-2021-20178
- CVE-2021-20180
- CVE-2021-20191
- CVE-2021-20228
- CVE-2021-20253
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.