CVE-2022-3697

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ansible-collections/amazon.aws/pull/1199	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible_collection::::::community_aws::*
	cpe:2.3:a:redhat:ansible_collection::::::aws::*

History

28 Dec 2023, 19:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html -

Information

Published : 2022-10-28 16:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-3697

Mitre link : CVE-2022-3697

CVE.ORG link : CVE-2022-3697

JSON object : View

Products Affected

redhat

ansible
ansible_collection

CWE

NVD-CWE-Other CWE-233

Improper Handling of Parameters

{"id": "CVE-2022-3697", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-28T16:15:16.403", "references": [{"url": "https://github.com/ansible-collections/amazon.aws/pull/1199", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-233"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros."}], "lastModified": "2023-12-28T19:15:14.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DBC8935-27B7-4048-92C9-942D24D116A0", "versionEndExcluding": "2.10.0", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*", "vulnerable": true, "matchCriteriaId": "2549F857-19D5-4359-BCE4-2DAB72D52F5B", "versionEndExcluding": "2.0.0"}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*", "vulnerable": true, "matchCriteriaId": "D8990581-F433-4EB1-96B8-383A4342D6F7", "versionEndExcluding": "5.1.0", "versionStartIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}