Bug 1824033 (CVE-2020-10709) - CVE-2020-10709 Tower: OAuth2 refresh tokens do not respect the expiration
Summary: CVE-2020-10709 Tower: OAuth2 refresh tokens do not respect the expiration
Keywords:
Status: NEW
Alias: CVE-2020-10709
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1824034 1824035
Blocks: 1824028
TreeView+ depends on / blocked
 
Reported: 2020-04-15 06:34 UTC by Borja Tarraso
Modified: 2023-12-01 13:42 UTC (History)
3 users (show)

Fixed In Version: ansible_tower 3.6.4, ansible_tower 3.5.6
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Borja Tarraso 2020-04-15 06:34:38 UTC
OAuth2 refresh tokens do not respect the expiration specified in REFRESH_TOKEN_EXPIRE_SECONDS.

Comment 3 Borja Tarraso 2020-04-16 08:05:08 UTC
Acknowledgments:

Name: @sdwru

Comment 4 Borja Tarraso 2020-04-16 08:05:11 UTC
Statement:

Ansible Tower 3.5.5 and 3.6.3 as well as previous versions are affected.

Comment 5 Borja Tarraso 2020-04-16 08:05:14 UTC
Mitigation:

Whenever is possible, deleting the user from Ansible Tower is the only way to mitigate the authentication of OAuth2 tokens.

Comment 6 Borja Tarraso 2020-04-16 08:08:10 UTC
Upstream AWX fix: https://github.com/ansible/awx/issues/6630


Note You need to log in before you can comment on or make changes to this bug.