{ "threat_severity" : "Important", "public_date" : "2018-04-27T00:00:00Z", "bugzilla" : { "description" : "ansible-tower: Remote code execution by users with access to define variables in job templates", "id" : "1565862", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1565862" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.", "Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server." ], "acknowledgement" : "Red Hat would like to thank Simon Vikström for reporting this issue.", "affected_release" : [ { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "ansible-0:2.4.4.0-1.el7ae" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "ansible-tower-0:3.1.7-1.el7at" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "cfme-0:5.8.4.5-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "cfme-appliance-0:5.8.4.5-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "cfme-gemset-0:5.8.4.5-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "python-paramiko-0:2.1.1-4.el7" }, { "product_name" : "CloudForms Management Engine 5.8", "release_date" : "2018-06-25T00:00:00Z", "advisory" : "RHSA-2018:1972", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.8::el7", "package" : "rh-ruby23-rubygem-json-0:2.1.0-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "ansible-0:2.4.4.0-1.el7ae" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "ansible-tower-0:3.2.4-1.el7at" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "cfme-0:5.9.2.4-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "cfme-amazon-smartstate-0:5.9.2.4-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "cfme-appliance-0:5.9.2.4-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "cfme-gemset-0:5.9.2.4-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "dbus-api-service-0:1.0.1-3.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "httpd-configmap-generator-0:0.2.1-2.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "postgresql96-0:9.6.6-1PGDG.el7" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "python-paramiko-0:2.1.1-4.el7" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "rh-ruby23-rubygem-json-0:2.1.0-1.el7cf" }, { "product_name" : "CloudForms Management Engine 5.9", "release_date" : "2018-05-07T00:00:00Z", "advisory" : "RHSA-2018:1328", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5.9::el7", "package" : "rh-ruby23-rubygem-qpid_proton-0:0.22.0-2.el7cf" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1104\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1104" ], "name" : "CVE-2018-1104", "csaw" : false }