Vulnerability Details : CVE-2018-1101
Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.
Vulnerability category: Gain privilege
Products affected by CVE-2018-1101
- cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1101
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1101
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2018-1101
-
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.Assigned by: secalert@redhat.com (Secondary)
-
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1101
-
https://www.ansible.com/security
Ansible Security DisclosuresVendor Advisory
-
https://access.redhat.com/security/cve/cve-2018-1101
CVE-2018-1101 - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1563492
1563492 – (CVE-2018-1101) CVE-2018-1101 ansible-tower: Privilege escalation flaw allows for organization admins to obtain system privilegesIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1972
RHSA-2018:1972 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1328
RHSA-2018:1328 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to