CVE-2022-3697
Published: 28 October 2022
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
Notes
Author | Note |
---|---|
sbeattie | core ansible binaries were split into ansible-base, which got renamed to ansible-core |
Priority
Status
Package | Release | Status |
---|---|---|
ansible-core Launchpad, Ubuntu, Debian |
kinetic |
Ignored
(end of life, was needs-triage)
|
upstream |
Needs triage
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Needs triage
|
|
trusty |
Does not exist
|
|
xenial |
Does not exist
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
ansible Launchpad, Ubuntu, Debian |
xenial |
Needs triage
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
bionic |
Needs triage
|
|
upstream |
Needs triage
|
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
trusty |
Needs triage
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |