RHSA-2021:0778: Red Hat Security Advisory: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update

Red Hat Ansible Tower 3.6.7-1 - RHEL7 Container Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Security Fix(es):

• Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253
• Upgraded to a more recent version of nginx to address CVE-2019-20372
• Upgraded to a more recent version of autobahn to address CVE-2020-35678
• Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2019-20372: nginx: HTTP request smuggling in configurations with URL redirect used as error_page
• CVE-2020-11022: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
• CVE-2020-11023: jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
• CVE-2020-35678: python-autobahn: allows redirect header injection
• CVE-2021-20253: ansible-tower: Privilege escalation via job isolation escape