Bug 2232324 (CVE-2023-4380) - CVE-2023-4380 Ansible Automation platform: token exposed at importing project
Summary: CVE-2023-4380 Ansible Automation platform: token exposed at importing project
Keywords:
Status: NEW
Alias: CVE-2023-4380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2232586
TreeView+ depends on / blocked
 
Reported: 2023-08-16 10:08 UTC by Vipul Nair
Modified: 2025-04-01 08:28 UTC (History)
17 users (show)

Fixed In Version: automation-eda-controller 1.0.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4693 0 None None None 2023-08-21 21:49:40 UTC

Comment 4 errata-xmlrpc 2023-08-21 21:49:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
Comment 5 Vipul Nair 2023-08-23 12:19:54 UTC 
When importing a project with incorrect credentials leads to credentials being logged in plain text.
Comment 6 John Helmert III 2023-11-28 22:56:37 UTC 
> A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, 

So.. not an Ansible, but rather in "Red Hat Ansible Automation Platform".
Comment 7 John Helmert III 2023-11-28 22:57:03 UTC 
not in Ansible** :)
Comment 9 Vipul Nair 2024-01-01 20:01:21 UTC 
Corrected thank you.
Comment 10 John Helmert III 2024-01-06 20:40:32 UTC 
Why am I needinfo'd?
Note You need to log in before you can comment on or make changes to this bug.