CVE-2018-1101

moderate-risk

Published 2018-05-02

Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system.

Do I need to act?

0.43% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (3)

Ansible Tower

Cloudforms

Affected Vendors

Redhat

References (10)

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1328

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1972

Third Party Advisory https://access.redhat.com/security/cve/cve-2018-1101

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1563492

Vendor Advisory https://www.ansible.com/security

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1328

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1972

Third Party Advisory https://access.redhat.com/security/cve/cve-2018-1101

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1563492

Vendor Advisory https://www.ansible.com/security

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 9/34 · Low