CVE-2022-3697

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ansible-collections/amazon.aws/pull/1199	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible_collection::::::community_aws::*
	cpe:2.3:a:redhat:ansible_collection::::::aws::*

History

28 Dec 2023, 19:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html -

01 Nov 2022, 18:47

Type	Values Removed	Values Added
References	~~(MISC) https://github.com/ansible-collections/amazon.aws/pull/1199 -~~	(MISC) https://github.com/ansible-collections/amazon.aws/pull/1199 - Third Party Advisory
CWE	~~CWE-233~~	NVD-CWE-Other
CPE		cpe:2.3:a:redhat:ansible_collection::::::community_aws::* cpe:2.3:a:redhat:ansible_collection::::::aws::* cpe:2.3:a:redhat:ansible::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Redhat ansible Collection Redhat ansible Redhat

28 Oct 2022, 16:46

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-28 16:15

Updated : 2023-12-28 19:15

NVD link : CVE-2022-3697

Mitre link : CVE-2022-3697

CVE.ORG link : CVE-2022-3697

JSON object : View

Products Affected

redhat

ansible_collection
ansible

CWE

NVD-CWE-Other CWE-233

Improper Handling of Parameters

{"id": "CVE-2022-3697", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-10-28T16:15:16.403", "references": [{"url": "https://github.com/ansible-collections/amazon.aws/pull/1199", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-233"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros."}], "lastModified": "2023-12-28T19:15:14.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DBC8935-27B7-4048-92C9-942D24D116A0", "versionEndExcluding": "2.10.0", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*", "vulnerable": true, "matchCriteriaId": "2549F857-19D5-4359-BCE4-2DAB72D52F5B", "versionEndExcluding": "2.0.0"}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*", "vulnerable": true, "matchCriteriaId": "D8990581-F433-4EB1-96B8-383A4342D6F7", "versionEndExcluding": "5.1.0", "versionStartIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}