CVE-2017-12148 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-12148 Interim 1 5 2022-09-18T00:45:37Z current 2021-05-30T13:59:34Z 2022-09-18T00:45:37Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-12148 A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP3 for Teradata SUSE OpenStack Cloud 7 ansible ansible as a component of SUSE Linux Enterprise Server 11 SP3 for Teradata ansible as a component of SUSE OpenStack Cloud 7 A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. CVE-2017-12148 SUSE Linux Enterprise Server 11 SP3 for Teradata:ansible SUSE OpenStack Cloud 7:ansible important 8.3 AV:N/AC:L/Au:M/C:C/I:C/A:C 8.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H