| Vulnerability Name: | CVE-2019-19342 (CCN-173494) | ||||||||||||
| Assigned: | 2019-12-19 | ||||||||||||
| Published: | 2019-12-19 | ||||||||||||
| Updated: | 2020-05-21 | ||||||||||||
| Summary: | A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password. | ||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-209 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-19342 Source: CCN Type: Red Hat Bugzilla Bug 1782623 (CVE-2019-19342) - CVE-2019-19342 Tower: special characters in RabbitMQ passwords causes web socket 500 error Source: CONFIRM Type: Issue Tracking, Vendor Advisory https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19342 Source: XF Type: UNKNOWN ansible-cve201919342-info-disc(173494) Source: CCN Type: Ansible Web site Red Hat Ansible Tower | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||