Bug 2108653 (CVE-2022-2568)

Summary: CVE-2022-2568 Ansible: Logic flaw leads to privilage escalation
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcoca, chousekn, cmeyers, davidn, gblomqui, jbreitwe, jcammara, jhardy, jobarker, mabashia, notting, osapryki, relrod, rpetrell, sdoran, security-response-team, simaishi, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify the account settings of the superuser account and also remove the superuser privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-01 16:55:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2108668, 2108669, 2108670, 2108671    
Bug Blocks: 2108655    

Description Vipul Nair 2022-07-19 16:05:38 UTC 
User with 'change user' permissions can change any parameter from a superuser via API but none via UI. This user can even set the 'is_superuser' flag to false and thus remove superuser privileges.

HTTP request:
PATCH http://localhost:5001/api/automation-hub/_ui/v1/users/1/ 
{"username": "admin", "is_superuser": false}

200 OK
Comment 4 errata-xmlrpc 2022-08-16 13:20:18 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.1 for RHEL 8

Via RHSA-2022:6078 https://access.redhat.com/errata/RHSA-2022:6078
Comment 5 errata-xmlrpc 2022-08-16 13:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.2 for RHEL 8
  Red Hat Ansible Automation Platform 2.2 for RHEL 9

Via RHSA-2022:6079 https://access.redhat.com/errata/RHSA-2022:6079
Comment 6 Product Security DevOps Team 2022-09-01 16:55:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2568