Description
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://www.ansible.com/security
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1563492
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1972
Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/cve-2018-1101
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1328
Scores
CVSS v3
7.2
EPSS
0.0201
EPSS Percentile
78.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-521
CWE-266
Status
published
Products (3)
redhat/ansible_tower
< 3.2.4
redhat/cloudforms
4.5
redhat/cloudforms
4.6
Published
May 02, 2018
Tracked Since
Feb 18, 2026