CVE-2023-4237

CWE-4977 documents6 sources

Severity

7.8HIGH

EPSS

0.1%

top 78.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Automation Platform

Timeline

PublishedOct 4

Description

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

▶NVDredhat/ansible_automation_platform2.0

▶Debianansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1+3

▶PyPIansible-core2.8.0 — 2.15.2

🔴Vulnerability Details

OSV

CVE-2023-4237: A flaw was found in the Ansible Automation Platform↗2023-10-04

▶

OSV

Ansible may expose private key↗2023-10-04

▶

GHSA

Ansible may expose private key↗2023-10-04

▶

CVEList

Platform: ec2_key module prints out the private key directly to the standard output↗2023-10-04

▶

📋Vendor Advisories

Red Hat

platform: ec2_key module prints out the private key directly to the standard output↗2023-08-08

▶

Debian

CVE-2023-4237: ansible - A flaw was found in the Ansible Automation Platform. When creating a new keypair...↗2023

▶