CVE-2018-1104

Impact:
Important
Public Date:
2018-04-27
CWE:
CWE-20
Bugzilla:
1565862: CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.

Find out more about CVE-2018-1104 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.8 RHSA-2018:1972 2018-06-25
CloudForms Management Engine 5.9 RHSA-2018:1328 2018-05-07

Affected Packages State

Platform Package State
Red Hat Ansible Tower 3 for RHEL 7 security-tower Affected

Acknowledgements

Red Hat would like to thank Simon Vikström for reporting this issue.
Last Modified