CVE-2020-10697 Information

Description

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache causing a denial of service attack. This attack would not completely stop the service but in the worst-case scenario it can reduce the Tower performance for which memcached is designed. Theoretically more sophisticated attacks can be performed by manipulating and crafting the cache as Tower relies on memcached as a place to pull out setting values. Confidential and sensitive data stored in memcached should not be pulled as this information is encrypted. This flaw affects Ansible Tower versions before 3.6.4 Ansible Tower versions before 3.5.6 and Ansible Tower versions before 3.4.6.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1818445

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

LOW

Base Severity

4.4