CVE-2019-14890

Vulnerability

Ansible Tower versions before 3.6.1, specifically 3.6.0, contain a vulnerability where Red Hat Subscription Management (RHSM) usernames and passwords are saved in plaintext into the database after applying the Ansible Tower license. The exposed credentials are accessible via the /api/v2/config endpoint [1]. Affected version: Ansible Tower 3.6.0. Versions 3.5, 3.4, and 3.3 are not vulnerable as they do not include the new RHSM [1].

Exploitation

An attacker with low privileges can retrieve the stored usernames and passwords by sending a GET request to /api/v2/config after the license has been applied. No additional authentication or special network position is required beyond having low-privilege access to the Ansible Tower instance [1].

Impact

Successful exploitation leads to disclosure of RHSM credentials, potentially allowing the attacker to gain unauthorized access to Red Hat subscription management services. The scope of compromise is limited to the credential information stored by the RHSM feature [1].

Mitigation

Ansible Tower 3.6.1, released on November 26, 2019, fixes this issue by no longer storing credentials in plaintext. There is no effective workaround other than upgrading to the fixed version [1].