CVE-2021-4112

2022-08-2520:15:09

CWE-552

[email protected]

web.nvd.nist.gov

cve-2021-4112

ansible-tower

vulnerability

privilege escalation

job isolation escape

awx user

8.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

8.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.7%

JSON

A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.

Affected configurations

Vulners

NVD

Node

ansibletowerRange≤3.8.5

VendorProductVersionCPE
ansibletower*cpe:2.3:a:ansible:tower:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ansible	tower	*	cpe:2.3:a:ansible:tower::::::::

CNA Affected

[
  {
    "product": "ansible-tower",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in ansible-tower 3.8.5"
      }
    ]
  }
]