CVE-2024-1657

EPSS 0.08%
Published 25.04.2024 17:15:48
Last modified 21.11.2024 08:51:01
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system.

Affected products Warnungen 0 Metrics 2 CWE 1 References 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/ansible/ansible

≫

Package ansible

Default Statusunaffected

Version < 2.4

Version 0

Status affected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 8

Default Statusaffected

Version < *

Version 0:2.4-6.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 8

Default Statusaffected

Version < *

Version 0:1.0.5-1.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 8

Default Statusaffected

Version < *

Version 0:1.0.5-1.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 9

Default Statusaffected

Version < *

Version 0:2.4-6.el9ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 9

Default Statusaffected

Version < *

Version 0:1.0.5-1.el9ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 9

Default Statusaffected

Version < *

Version 0:1.0.5-1.el9ap

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.232

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-1385 Missing Origin Validation in WebSockets

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

https://access.redhat.com/errata/RHSA-2024:1057

https://access.redhat.com/security/cve/CVE-2024-1657

https://bugzilla.redhat.com/show_bug.cgi?id=2265085

https://nvd.nist.gov/vuln/detail/CVE-2024-1657

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1657

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1657

EUVD