For a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or a modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed. In this case, any logged user can abuse of the test feature to forge HTTP/HTTPS requests from the awx server and get directly the result on the response. By default, the connector made a POST request to /authn/<account>/<username> authenticate to check the credential configuration. By using a malicious Apache server (with mod_rewrite), it is possible to generate any GET/POST (307 redirection) requests on the internal network. In addition, the POST request body can be managed by the user by using the api_key parameter and the proxy defined in the application setting was not taken in account.
Statement: Ansible Tower 3.7.1 and 3.6.4 as well as previous versions are affected.
Acknowledgments: Name: Maxime ESCOURBIAC (Michelin CERT team)
This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2020:3328 https://access.redhat.com/errata/RHSA-2020:3328
This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2020:3329 https://access.redhat.com/errata/RHSA-2020:3329
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14327