Bug 1880275 (CVE-2020-25635) - CVE-2020-25635 Collections: aws_ssm connection plugin should garbage collect the s3 bucket after the file transfers
Summary: CVE-2020-25635 Collections: aws_ssm connection plugin should garbage collect ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-25635
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1875993
TreeView+ depends on / blocked
 
Reported: 2020-09-18 07:29 UTC by Borja Tarraso
Modified: 2023-09-25 06:14 UTC (History)
0 users

Fixed In Version: aws_ssm 1.3.0
Doc Type: ---
Doc Text:
A flaw was found in Ansible Base. When using the aws_ssm connection plugin as a garbage collector, it is not working after the playbook run is completed due to the file remaining in the bucket, which exposes the data. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2020-09-24 08:41:16 UTC
Embargoed:


Attachments (Terms of Use)

Description Borja Tarraso 2020-09-18 07:29:16 UTC
The aws_ssm connection plugin uses an s3 buckets to transfer files to instances. These files remain in the bucket after the play has complete, they are never removed.

Comment 1 Borja Tarraso 2020-09-18 07:29:19 UTC
Acknowledgments:

Name: Abel Luck (The Guardian Project)

Comment 2 Borja Tarraso 2020-09-18 07:29:22 UTC
External References:

External References: https://github.com/ansible-collections/community.aws/issues/222

Comment 3 Borja Tarraso 2020-09-18 07:29:24 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 7 Borja Tarraso 2020-09-23 06:23:31 UTC
Upstream fix: https://github.com/ansible-collections/community.aws/pull/237

Comment 8 Product Security DevOps Team 2020-09-24 08:41:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25635

Comment 10 RaTasha Tillery-Smith 2021-02-10 16:26:27 UTC
Statement:

Ansible collection aws_ssm connection community plugin 1.2.1 and previous versions until 1.0.0 when it was introduced to this plugin, are the versions affected by this flaw.


Note You need to log in before you can comment on or make changes to this bug.