VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 19, 2019· Updated Aug 5, 2024

CVE-2019-19342

CVE-2019-19342

Description

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose will occur in plaintext. An attacker could easily guess some predictable passwords or brute force the password.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Ansible Tower leaks RabbitMQ password in 500 error when password contains '#' and /websocket is requested.

Vulnerability

A flaw exists in Ansible Tower versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4. When the /websocket endpoint is requested and the RabbitMQ password contains the # character, a socket error occurs during password parsing, causing an HTTP 500 error that discloses part of the password in plaintext [1].

Exploitation

An attacker needs network access to the Ansible Tower web interface and must be able to trigger a request to the /websocket endpoint. The target environment must have a RabbitMQ password containing the # character. The request causes a socket error in RabbitMQ, and the server returns an HTTP 500 error page that includes a portion of the password [1].

Impact

Successful exploitation results in partial disclosure of the RabbitMQ password in plaintext. This information can be used by an attacker to guess predictable passwords or aid in brute-force attacks against the full password [1].

Mitigation

Fixed versions are 3.6.2 and 3.5.4. Users should upgrade to these versions or later. As a workaround, administrators can change RabbitMQ passwords to avoid the # character, using longer, unpredictable strings to maintain strength [1].

References
  1. special characters in RabbitMQ passwords causes web socket 500 error

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Red Hat/Ansible Towerllm-fuzzy
    Range: <3.6.2, <3.5.4
  • Red Hat/Towerv5
    Range: all ansible_tower versions 3.6.x before 3.6.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.