- Issued:
- 2021-03-09
- Updated:
- 2021-03-09
RHSA-2021:0778 - Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update
Synopsis
Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update
Type/Severity
Security Advisory Important
Topic
Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253
- Upgraded to a more recent version of nginx to address CVE-2019-20372
- Upgraded to a more recent version of autobahn to address CVE-2020-35678
- Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For information on upgrading Ansible Tower, reference the Ansible Tower Upgrade and Migration Guide: https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/index.html
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Ansible Automation Platform | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1790277
- This content is not included.BZ - 1828406
- This content is not included.BZ - 1850004
- This content is not included.BZ - 1911314
- This content is not included.BZ - 1928847
CVEs
- CVE-2016-5766
- CVE-2018-20843
- CVE-2019-11719
- CVE-2019-11727
- CVE-2019-11756
- CVE-2019-12749
- CVE-2019-14866
- CVE-2019-15903
- CVE-2019-17006
- CVE-2019-17023
- CVE-2019-17498
- CVE-2019-19956
- CVE-2019-20372
- CVE-2019-20388
- CVE-2019-20907
- CVE-2020-1971
- CVE-2020-6829
- CVE-2020-7595
- CVE-2020-8177
- CVE-2020-10543
- CVE-2020-10878
- CVE-2020-11022
- CVE-2020-11023
- CVE-2020-12243
- CVE-2020-12400
- CVE-2020-12401
- CVE-2020-12402
- CVE-2020-12403
- CVE-2020-12723
- CVE-2020-35678
- CVE-2021-20178
- CVE-2021-20180
- CVE-2021-20191
- CVE-2021-20228
- CVE-2021-20253
References
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.