Bug 1829899 (CVE-2019-10310) - CVE-2019-10310 ansible-tower: cross-site request forgery could result in credentials disclosure
Summary: CVE-2019-10310 ansible-tower: cross-site request forgery could result in cred...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10310
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1829903
TreeView+ depends on / blocked
 
Reported: 2020-04-30 14:34 UTC by Michael Kaplan
Modified: 2021-02-16 14:05 UTC (History)
17 users (show)

Fixed In Version: ansible-tower 9.2
Clone Of:
Environment:
Last Closed: 2020-04-30 16:44:46 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2020-04-30 14:34:03 UTC 
A cross-site request forgery vulnerability was found in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#doTestTowerConnection form validation method allowed attackers permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins
Comment 1 Michael Kaplan 2020-04-30 14:34:44 UTC 
Upstream Advisory:

https://www.jenkins.io/security/advisory/2019-04-30/#SECURITY-1355
Comment 2 Bill Nottingham 2020-04-30 16:44:46 UTC 
Not something we maintain or ship.
Comment 3 Yadnyawalk Tale 2020-05-05 11:54:34 UTC 
CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm.
Comment 4 Borja Tarraso 2020-05-05 13:12:25 UTC 
Tower is not shipping neither maintaining this plugin, that's part of jenkinsci but not ansible as such. Not any Ansible Tower versions are affected as such.
Note You need to log in before you can comment on or make changes to this bug.