Ansible Tower, before version 3.2.4, has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.
Find out more about CVE-2018-1101 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 8 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | High |
User Interaction | None |
Scope | Changed |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
CloudForms Management Engine 5.8 | RHSA-2018:1972 | 2018-06-25 |
CloudForms Management Engine 5.9 | RHSA-2018:1328 | 2018-05-07 |
Platform | Package | State |
---|---|---|
Red Hat Ansible Tower 3 for RHEL 7 | security-tower | Under investigation |