CVE-2020-10709 Detail
This vulnerability is currently awaiting analysis.
Description
A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6.
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-613 | Insufficient Session Expiration | Red Hat, Inc. |
| CWE-287 | Improper Authentication | Red Hat, Inc. |
| CWE-672 | Operation on a Resource after Expiration or Release | Red Hat, Inc. |
Change History
0 change records found show changes
Quick Info
CVE Dictionary Entry:
CVE-2020-10709
NVD Published Date:
05/27/2021
NVD Last Modified:
05/27/2021
Source:
Red Hat, Inc.