CVE-2019-19341
First published: Thu Dec 19 2019(Updated: )
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Ansible Tower | >=3.6.0<3.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-19341?
The severity of CVE-2019-19341 is medium with a CVSS score of 5.5.
How does CVE-2019-19341 affect Ansible Tower?
CVE-2019-19341 affects Ansible Tower versions 3.6.x before 3.6.2.
What is the vulnerability description of CVE-2019-19341?
CVE-2019-19341 allows files in '/var/backup/tower' to be world-readable, exposing the SECRET_KEY and the database backup.
How can an attacker exploit CVE-2019-19341?
An attacker with access to the Tower server and knowledge of backup timings can retrieve sensitive credentials.
How can I fix CVE-2019-19341?
Upgrade to Ansible Tower version 3.6.2 to fix CVE-2019-19341.
- collector/nvd-index
- vendor/redhat
- canonical/redhat ansible tower
- version/redhat ansible tower/3.6.0