CVE-2022-3697

CWE-23311 documents8 sources
Severity
7.5HIGH
EPSS
0.2%
top 55.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat AnsibleRedhat Ansible Collection
Timeline
PublishedOct 28
Latest updateDec 2

Description

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDredhat/ansible_collection2.1.05.1.0+1
PyPIansible2.5.07.0.0
NVDredhat/ansible2.5.02.10.0
Debianansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1+3
Ubuntuansible< 2.0.0.2-2ubuntu1.3+esm2+3

🔴Vulnerability Details

6
OSV
ansible regression2024-12-02
OSV
ansible vulnerabilities2024-06-25
GHSA
Ansible leaks password to logs2022-10-28
CVEList
CVE-2022-3697: A flaw was found in Ansible in the amazon2022-10-28
OSV
Ansible leaks password to logs2022-10-28

📋Vendor Advisories

4
Ubuntu
Ansible vulnerabilities2024-06-25
Red Hat
ansible: improper handling of tower_callback parameter in amazon.aws collection2022-10-25
Microsoft
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue a2022-10-11
Debian
CVE-2022-3697: ansible - A flaw was found in Ansible in the amazon.aws collection when using the tower_ca...2022
CVE-2022-3697 (HIGH CVSS 7.5) | A flaw was found in Ansible in the | cvebase.io