CVE-2017-12148
Description
A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ansible Tower versions before 3.1.5 and 3.2.0 allow arbitrary command execution via git hooks in SCM repositories when the 'delete before update' flag is not set.
Vulnerability
A flaw exists in Ansible Tower's SCM repository handling before versions 3.1.5 and 3.2.0 [1]. When a Tower project (SCM repository) definition does not have the 'delete before update' flag enabled, an attacker with commit access to the upstream playbook source repository can inject a malicious playbook that modifies the checked-out SCM repository to add git hooks [2].
Exploitation
To exploit, an attacker must have commit access to the upstream playbook source repository. The attacker creates a Trojan playbook that, when executed by Tower, modifies the local SCM checkout to include git hooks. On the next SCM update, these hooks execute arbitrary commands with the privileges of the Tower service user (awx) [2].
Impact
Successful exploitation allows arbitrary command and code execution as the user Tower runs as (typically the awx user). This can lead to full compromise of the Tower service, including access to sensitive data, modification of configurations, and potential lateral movement within the infrastructure [1][2].
Mitigation
Red Hat released fixes in Ansible Tower versions 3.1.5 and 3.2.0 [1]. Users should upgrade to these versions or later. As a workaround, ensure the 'delete before update' flag is enabled for all SCM projects, which prevents the injection of git hooks [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.1.5, =3.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- access.redhat.com/errata/RHSA-2017:3005mitrevendor-advisoryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.