CVE-2022-3697

Published: Oct 28, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Affected (3)

Products: Redhat: Ansible, Ansible Collection

2 products

Ansible Collection

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible	From 2.5.0 to 2.10.0
Redhat Ansible Collection	From 2.1.0 to 5.1.0
Redhat Ansible Collection	Before 2.0.0

Related CWEs

Improper Handling of Parameters

The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined.

References (4)

https://github.com/ansible-collections/amazon.aws/pull/1199

Source: secalert@redhat.com

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Source: secalert@redhat.com

https://github.com/ansible-collections/amazon.aws/pull/1199

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.