{"containers": {"cna": {"affected": [{"product": "Ansible Tower", "vendor": "n/a", "versions": [{"status": "affected", "version": "Ansible Tower 3.7.1 as well as previous versions are affected."}]}], "descriptions": [{"lang": "en", "value": "A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "Generation of Error Message Containing Sensitive Information CWE-209", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-31T12:42:55", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14337", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible Tower", "version": {"version_data": [{"version_value": "Ansible Tower 3.7.1 as well as previous versions are affected."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Generation of Error Message Containing Sensitive Information CWE-209"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.520Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14337", "datePublished": "2020-07-31T12:42:55", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.520Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "834EEDDD-5071-4D2E-A66E-4DC017A2C8D1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo de exposici\u00f3n de datos en Tower, donde fueron revelados datos confidenciales de los c\u00f3digos de error de retorno HTTP. Este fallo permite a un atacante no autenticado remoto recuperar p\u00e1ginas de la organizaci\u00f3n predeterminada y comprobar los nombres de usuario presentes. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos"}], "id": "CVE-2020-14337", "lastModified": "2020-08-11T17:03:47.937", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-31T13:15:12.537", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Joshua Niemann (IBM GTS) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3328", "cpe": "cpe:/a:redhat:ansible_tower:3.7::el7", "package": "ansible-tower-37/ansible-tower-rhel7:3.7.2-1", "product_name": "Red Hat Ansible Tower 3.7 for RHEL 7", "release_date": "2020-08-05T00:00:00Z"}], "bugzilla": {"description": "Tower: Named URLs allow for testing the presence or absence of objects", "id": "1859139", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1859139"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality.", "A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "There is no mitigation for this issue."}, "name": "CVE-2020-14337", "public_date": "2020-07-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14337\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14337"], "statement": "Ansible Tower 3.7.1 as well as previous versions are affected.", "threat_severity": "Moderate", "upstream_fix": "ansible_tower 3.7.2, ansible_tower 3.8.0"}