Home > Vulnerability Database > CVE-2020-10709

Mend.io Vulnerability Database

CVE-2020-10709

Date: May 27, 2021

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansible Tower, which allows any user that can gain access to the token to be fully authenticated to Ansible Tower. This flaw affects Ansible Tower versions before 3.6.4 and Ansible Tower versions before 3.5.6.

Language: Python

Severity Score

7.1

Related Resources (4)

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1824033

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-10709

Url: https://github.com/ansible/awx/commit/25a1bc7a3365a6029896f3128552d86bcae26dfb

Url: https://www.mend.io/vulnerability-database/CVE-2020-10709

Severity Score

7.1

Weakness Type (CWE)

Improper Authentication

CWE-287

Insufficient Session Expiration

CWE-613

Operation on a Resource after Expiration or Release

CWE-672

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.6
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-10709

Date: May 27, 2021

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?