Bug 2137664 (CVE-2022-3697) - CVE-2022-3697 ansible: improper handling of tower_callback parameter in amazon.aws collection
Summary: CVE-2022-3697 ansible: improper handling of tower_callback parameter in amazo...
Keywords:
Status: NEW
Alias: CVE-2022-3697
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2137871
Blocks: 2137206
TreeView+ depends on / blocked
 
Reported: 2022-10-25 18:43 UTC by Borja Tarraso
Modified: 2023-07-07 08:30 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Borja Tarraso 2022-10-25 18:43:29 UTC
For the amazon.aws collection while looking into the way that the amazon.aws.ec2_instance module handles the "tower_callback" parameter. There is the potential for the Windows password to leak into logs when using "tower_callback.set_password".

Because the tower_callback parameter is just a raw dict, rather than having options set, no_log does not come into play and tower_callback.set_password, if set, can be leaked into the logs.

Comment 5 Mark Chappell 2022-10-28 15:04:01 UTC
Upstream amazon.aws 5.1.0 has now been released with the fix

- https://github.com/ansible-collections/amazon.aws/releases/tag/5.1.0
- https://galaxy.ansible.com/download/amazon-aws-5.1.0.tar.gz


Note You need to log in before you can comment on or make changes to this bug.