Description
A Server-Side Request Forgery flaw was found in ManageIQ where malicious requests can be sent from the vulnerable server. An attacker with the privileges to add Ansible Tower provider could inject URLs with port details or with internal IPs to observe internal network.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14296
Details
When adding an Ansible Tower provider, if a non-Tower address was specified, then the presented error message would show the details of the error response from that server. As such, the provider addition screen could be used as a poor-man's network scanner.
This was fixed by upgrading the latest ansible-tower-client-ruby gem which contains a fix for invalid JSON responses, thus eliminating the payload from view.
Fixed in ivanchuk-7, jansa-1-rc1, master
Description
A Server-Side Request Forgery flaw was found in ManageIQ where malicious requests can be sent from the vulnerable server. An attacker with the privileges to add Ansible Tower provider could inject URLs with port details or with internal IPs to observe internal network.
Acknowledgements
Red Hat would like to thank Purnachand Pulahari (IBM) and Ranjit Kumar Singh (IBM) for reporting this issue.
https://access.redhat.com/security/cve/cve-2020-14296
Details
When adding an Ansible Tower provider, if a non-Tower address was specified, then the presented error message would show the details of the error response from that server. As such, the provider addition screen could be used as a poor-man's network scanner.
This was fixed by upgrading the latest ansible-tower-client-ruby gem which contains a fix for invalid JSON responses, thus eliminating the payload from view.
Fixed in ivanchuk-7, jansa-1-rc1, master