Bug 1880275 (CVE-2020-25635)
Summary: | CVE-2020-25635 Collections: aws_ssm connection plugin should garbage collect the s3 bucket after the file transfers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | aws_ssm 1.3.0 | Doc Type: | --- |
Doc Text: |
A flaw was found in Ansible Base. When using the aws_ssm connection plugin as a garbage collector, it is not working after the playbook run is completed due to the file remaining in the bucket, which exposes the data. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-24 08:41:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1875993 |
Description
Borja Tarraso
2020-09-18 07:29:16 UTC
Acknowledgments: Name: Abel Luck (The Guardian Project) External References: External References: https://github.com/ansible-collections/community.aws/issues/222 Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25635 Statement: Ansible collection aws_ssm connection community plugin 1.2.1 and previous versions until 1.0.0 when it was introduced to this plugin, are the versions affected by this flaw. |