VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 19, 2019· Updated Aug 5, 2024

CVE-2019-19341

CVE-2019-19341

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Access to data is the highest threat with this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible Tower 3.6.x before 3.6.2 leaves backup files world-readable, exposing SECRET_KEY and database backups, allowing local attackers to steal all stored credentials.

Vulnerability

A flaw in Ansible Tower versions 3.6.x before 3.6.2 causes files in /var/backup/tower to be left world-readable during backup operations. These files include the SECRET_KEY and the database backup, which contains all stored credentials [1].

Exploitation

An attacker with access to the Tower server and knowledge of when a backup is running can read the world-readable files at /var/backup/tower. No authentication is required beyond local file system access [1].

Impact

Successful exploitation allows the attacker to retrieve the SECRET_KEY and the entire database backup, thereby gaining access to every credential stored in Tower. This represents a complete compromise of credential confidentiality, with the highest threat to data [1].

Mitigation

Upgrade to Ansible Tower version 3.6.2 or later, which fixes the file permission issue. If immediate upgrade is not possible, restrict local access to the Tower server and ensure backups are not performed or are secured via strict file permissions [1].

References
  1. intermediate files during Tower backup are world-readable

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Red Hat/Ansible Towerllm-fuzzy
    Range: <3.6.2
  • RedHat/Towerv5
    Range: all ansible_tower versions 3.6.x before 3.6.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.