exploit the possibilities

Red Hat Security Advisory 2020-5249-01

Red Hat Security Advisory 2020-5249-01
Posted Nov 30, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-5249-01 - Fixed two jQuery vulnerabilities Improved Ansible Tower's web service configuration to allow for processing more simultaneous HTTP requests by default Updated several dependencies of Ansible Tower's User Interface to address Updated to the latest version of python-psutil to address CVE-2019-18874 Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases Fixed workflows to no longer prevent certain users from being able to edit approval nodes Fixed confusing behavior for social auth logins across distinct browser tabs Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials. Issues addressed include code execution and cross site scripting vulnerabilities.

tags | advisory, web, vulnerability, code execution, xss, python
systems | linux, redhat
advisories | CVE-2019-18874, CVE-2020-11022, CVE-2020-11023, CVE-2020-7676, CVE-2020-7720, CVE-2020-7743
MD5 | 4eefeaf6b7e349b286bcd7fc4ba67327

Red Hat Security Advisory 2020-5249-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: security update - Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container
Advisory ID: RHSA-2020:5249-01
Product: Red Hat Ansible Tower
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5249
Issue date: 2020-11-30
CVE Names: CVE-2019-18874 CVE-2020-7676 CVE-2020-7720
CVE-2020-7743 CVE-2020-11022 CVE-2020-11023
====================================================================
1. Summary:

Red Hat Ansible Tower 3.7.4-1 - RHEL7 Container

2. Description:

* Fixed two jQuery vulnerabilities (CVE-2020-11022, CVE-2020-11023)
* Improved Ansible Tower's web service configuration to allow for
processing more simultaneous HTTP(s) requests by default
* Updated several dependencies of Ansible Tower's User Interface to address
(CVE-2020-7720, CVE-2020-7743, CVE-2020-7676)
* Updated to the latest version of python-psutil to address CVE-2019-18874
* Added several optimizations to improve performance for a variety of
high-load simultaneous job launch use cases
* Fixed workflows to no longer prevent certain users from being able to
edit approval nodes
* Fixed confusing behavior for social auth logins across distinct browser
tabs
* Fixed launching of Job Templates that use prompt-at-launch Ansible Vault
credentials

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:
https://docs.ansible.com/ansible-tower/latest/html/upgrade-migration-guide/
index.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution

5. References:

https://access.redhat.com/security/cve/CVE-2019-18874
https://access.redhat.com/security/cve/CVE-2020-7676
https://access.redhat.com/security/cve/CVE-2020-7720
https://access.redhat.com/security/cve/CVE-2020-7743
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX8T+OtzjgjWX9erEAQhfUA//as832FB6CfzebHnoVBMz8gro1sZQhTgH
uzYWdgYkDI4kMqO8u4bD3k9YXaYwub32d5xcpkOZ9ZtTl263EmpA807E5qATCuli
Tn5PmIJ80y9HbHfK0xmjd+bm7FJZZsFO0JEKkXbYeTxljgZRgIXN42fCZjn22j5m
QzhA2YCU3v7y+CRplqftvXP7LpBZtoSvCHr/hWHXuAirvtO3epV8+YLoAtnzT0Xl
kRJbsSC9INuYpCoMBR2owKUX5aklB6q9zWyzGpkbxMrqBEnAi9xm/Pmey/u9Lmzn
h8kXzthVkolKw9RIp5Qnp95h9110gvVxwgIpU2a+n+JipONBgrOCARlj9ttOuxfZ
erCOaDgAwHHHfK+qXOZtZJ36uX9DiWZCOaBkgFzSOLNqtoGO5YBloMQx3Ivt7IsE
WQZ3rVttEklI06Vlm2q6Tyz6E78WUjr12Eh1S6QwN6Gjp9SVgYip1RCkBErulgt3
edIQfIewynXOP3rrmLbLy68IGnNz2xJgVzW84WtEY7mygISv7/O9u0a2Ar+2Jm++
rXlXeK5+Shl4h4MeY+4fvH2k5TaSCliMLK+lCl5H65H+DPLHg90mlkP8wu8XoGCI
AKoU9hrPRxdCHijX2zH6NFZ75Kmzk//7SiCNIvgZAwDbiu/GK5/+xxcfpukE5Tld
+uNGueVnork=BM3i
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    9 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close