Hash: SHA256

                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update
Advisory ID:       RHSA-2021:0778-01
Product:           Red Hat Ansible Tower
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0778
Issue date:        2021-03-09
CVE Names:         CVE-2016-5766 CVE-2018-20843 CVE-2019-11719 
                   CVE-2019-11727 CVE-2019-11756 CVE-2019-12749 
                   CVE-2019-14866 CVE-2019-15903 CVE-2019-17006 
                   CVE-2019-17023 CVE-2019-17498 CVE-2019-19956 
                   CVE-2019-20372 CVE-2019-20388 CVE-2019-20907 
                   CVE-2020-1971 CVE-2020-6829 CVE-2020-7595 
                   CVE-2020-8177 CVE-2020-10543 CVE-2020-10878 
                   CVE-2020-11022 CVE-2020-11023 CVE-2020-12243 
                   CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 
                   CVE-2020-12403 CVE-2020-12723 CVE-2020-35678 
                   CVE-2021-20178 CVE-2021-20180 CVE-2021-20191 
                   CVE-2021-20228 CVE-2021-20253 

1. Summary:

Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container

Red Hat Product Security has rated this update as having a security impact
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* Addressed a security issue which can allow a malicious playbook author to
elevate to the awx user from outside the isolated environment:
* Upgraded to a more recent version of nginx to address CVE-2019-20372
* Upgraded to a more recent version of autobahn to address CVE-2020-35678
* Upgraded to a more recent version of jquery to address CVE-2020-11022 and

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For information on upgrading Ansible Tower, reference the Ansible Tower
Upgrade and Migration Guide:

4. Bugs fixed (https://bugzilla.redhat.com/):

1790277 - CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1850004 - CVE-2020-11023 jquery: Passing HTML containing