Back to bug 1824033

Who	When	What	Removed	Added
Borja Tarraso	2020-04-15 06:35:30 UTC	Depends On		1824034, 1824035
Marian Rehak	2020-04-15 07:15:09 UTC	Summary	Tower: OAuth2 refresh tokens do not respect the expiration	CVE-2020-10709 Tower: OAuth2 refresh tokens do not respect the expiration
		Alias		CVE-2020-10709
Borja Tarraso	2020-04-16 08:05:05 UTC	Doc Text		A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower use that token to provide authentication, however an attacker could get a refresh token which does not actually expire. The original granted and legitimate user would still have access to Tower. Any user which could get that token would be also able to get authenticate fully to Ansible Tower.
RaTasha Tillery-Smith	2020-04-16 13:07:57 UTC	Doc Text	A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower use that token to provide authentication, however an attacker could get a refresh token which does not actually expire. The original granted and legitimate user would still have access to Tower. Any user which could get that token would be also able to get authenticate fully to Ansible Tower.	A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower.
Doran Moppert	2020-05-27 06:11:06 UTC	CC		dmoppert
Red Hat Bugzilla	2021-01-26 11:47:29 UTC	CC	gmainwar
Red Hat Bugzilla	2021-04-20 07:45:16 UTC	CC	rpetrell
Red Hat Bugzilla	2021-11-02 15:42:06 UTC	CC	notting
Red Hat Bugzilla	2021-12-15 11:50:48 UTC	CC	cmeyers
Red Hat Bugzilla	2023-07-07 08:33:40 UTC	Assignee	security-response-team	nobody

Back to bug 1824033