Ansible Tower 3.x < 3.3.5 / 3.4.x < 3.4.3 Privilege Escalation Vulnerability
Medium Nessus Plugin ID 127126
SynopsisAn IT monitoring application running on the remote host is affected by a Unauthorized Access vulnerability.
DescriptionThe version of Ansible Tower running on the remote web server is 3.3.x prior to 3.3.5 or 3.4.x prior to 3.4.3. It is, therefore, affected by a anauthorized access vulnerability due to a RabbitMQ misconfiguration. The configuration does not set a secure channel for messaging celery workers, resulting in a leak of sensitive data, resulting in a potential privilege escalation vulnerability, as well as the ability to delete projects & files.
SolutionUpgrade to Ansible Tower version 3.3.5 / 3.4.3 or later.