VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 19, 2019· Updated Aug 5, 2024

CVE-2019-19340

CVE-2019-19340

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is still active, an attacker could guess the password and gain access to the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible Tower installers expose RabbitMQ management interface publicly when RabbitMQ manager is enabled, allowing default credential guessing.

Vulnerability

A flaw was found in Ansible Tower versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3. When the installer is invoked with the flag -e rabbitmq_enable_manager=true, the RabbitMQ management interface is exposed publicly. If the default guest admin user is still active, an attacker can attempt to guess the password [1].

Exploitation

An attacker with network access to the exposed RabbitMQ management interface can attempt to log in using the default guest user credentials. No authentication is required initially, as the interface is publicly accessible. The attacker simply accesses the management web UI or API endpoint and tries common passwords for the guest account [1].

Impact

Successful exploitation allows the attacker to gain administrative access to the RabbitMQ management interface. This could lead to disclosure or modification of message queues, disruption of services, or further compromise of the Ansible Tower environment depending on the RabbitMQ configuration [1].

Mitigation

The issue can be mitigated by restricting access to the management interface to internal trusted networks, implementing firewall rules to limit which hosts can reach the port, and deleting the default guest user using the command rabbitmqctl delete_user guest. Red Hat also recommends following the Ansible Tower Administration Guide for secure deployment [1].

References
  1. enabling RabbitMQ manager in the installer exposes the management interface publicly

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Red Hat/Ansible Towerllm-fuzzy
    Range: 3.5.x < 3.5.3, 3.6.x < 3.6.2
  • Red Hat/Towerv5
    Range: ansible_tower versions 3.6.x before 3.6.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.