Bug 1818924 (CVE-2020-10698) - CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in other organizations
Summary: CVE-2020-10698 Tower: normal users can intercept stdout from jobs running in ...
Status: NEW
Alias: CVE-2020-10698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 1818925 1818926 1818927
Blocks: 1818771
TreeView+ depends on / blocked
Reported: 2020-03-30 17:38 UTC by Borja Tarraso
Modified: 2023-12-01 13:42 UTC (History)
4 users (show)

Fixed In Version: ansible_tower 3.6.4, ansible_tower 3.5.6, ansible_tower 3.4.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when debugging is enabled.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Borja Tarraso 2020-03-30 17:38:27 UTC
Ansible Tower should prevent ws group subscription if not specified in the valid format. Otherwise this would allow normal users intercept stdout from jobs running in other organizations.

Comment 1 Borja Tarraso 2020-03-30 17:38:32 UTC

Name: Ryan Petrello (Red Hat)

Comment 2 Borja Tarraso 2020-03-30 17:38:35 UTC

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 6 Borja Tarraso 2020-03-30 17:53:02 UTC

This issue is possible to mitigate by disabling the stdout from jobs run through the nginx configuration file. However this may affect the usage of Tower as stdout stream would be hidden. To disable the output of running jobs the entire 'location /websocket' block from the nginx configuration (and restarting nginx service) it would be required. Nginx will stop serving /websocket by 404 HTTP code return.

Comment 7 Borja Tarraso 2020-03-30 18:18:41 UTC
awx link: https://github.com/ansible/awx/pull/6465

Note You need to log in before you can comment on or make changes to this bug.