CVE-2023-3971 (AAP on RHEL) - awx also affected

Jorg_Bartz · August 7, 2023, 5:57am

Dear group,

based on the recent CVE (see subject) found in RHEL AAP I was wondering if someone on this group might as well be in the process of evaluating if this vulnerability does also affect awx, or if it is just something on the AAP.

I totally understand that regular auditing/pen-testing the fast-paced awx is not something that can primarily be done in this group - the possibility of html injection to harvest user credentials is nevertheless something that I think is somehow concerning.

RHEL support is not very talkative about which awx version the vulenrable release is based on, and I was unsuccessful of finding an exploit / PoC in the wild for this CVE.

So, any thoughts, ideas or hints will be much appreciated!

Best regards,

Jörg

AWX_Project · August 9, 2023, 6:49pm

You are correct, we do not perform auditing/pen-testing on AWX if someone were able to replicate the affects of the CVE and open an issue in GitHub we would attempt to look at it though. That being said, Red Hat is a major contributor to AWX so if they have fixed a CVE I’m sure they would back port it into AWX (if they haven’t done so already). Unfortunately, we wouldn’t know which patch it was (unless it was specifically mentioned in the PR) and thus can not say which versions of AWX it would go into. Also note, we don’t “back port” PRs into older versions of AWX so if you believe you are affected, please upgrade to the latest version.

-The AWX Team

Topic		Replies	Views
Following AWX versions fixing CVEs AWX Project awx	1	0	July 8, 2022
CVE-2018-16879 Tower: security channel is not set properly for AMPQ connection AWX Project awx	1	0	January 4, 2019
CVE-2021-44228 AWX Project awx	1	0	December 14, 2021
AWX with CIS hardening AWX Project awx , rhel	0	3	September 13, 2023
AWX Usability Tests ($25 Amazon Giftcard giveaway) AWX Project awx	1	0	April 3, 2018

CVE-2023-3971 (AAP on RHEL) - awx also affected

Related topics