Bug 2232324 (CVE-2023-4380)
| Summary: | CVE-2023-4380 Ansible Automation platform: token exposed at importing project | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, ajak, davidn, epacific, jcammara, jhardy, jneedle, jobarker, kshier, mabashia, simaishi, smcdonal, stcannon, teagle, tfister, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | automation-eda-controller 1.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2232586 | ||
|
Comment 4
errata-xmlrpc
2023-08-21 21:49:39 UTC
When importing a project with incorrect credentials leads to credentials being logged in plain text. > A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials,
So.. not an Ansible, but rather in "Red Hat Ansible Automation Platform".
not in Ansible** :) Corrected thank you. Why am I needinfo'd? |