Description
A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low
Affected products
- Red Hat / Toweransible_tower versions 3.6.x before 3.6.2 – ansible_tower versions 3.6.x before 3.6.2
- Red Hat / Toweransible_tower versions 3.5.x before 3.5.4 – ansible_tower versions 3.5.x before 3.5.4