CVE-2022-3644

CWE-256 CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 85.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Automation Platform Redhat Satellite Redhat Update Infrastructure

Timeline

PublishedOct 25

Description

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶PyPIpulp-ansible< 0.15.0

▶CVEListV5pulp_ansible0.15

▶NVDredhat/satellite6.0

▶NVDredhat/update_infrastructure3.0

▶NVDredhat/ansible_automation_platform2.0

🔴Vulnerability Details

OSV

Plaintext storage of tokens in pulp_ansible↗2022-10-25

▶

CVEList

CVE-2022-3644: The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the↗2022-10-25

▶

GHSA

Plaintext storage of tokens in pulp_ansible↗2022-10-25

▶

📋Vendor Advisories

Red Hat

Pulp: Tokens stored in plaintext↗2022-10-04

▶