2229979 – (CVE-2023-4237) CVE-2023-4237 ansible automation platform: ec2_key module prints out the private key directly to the standard output

Bug 2229979 (CVE-2023-4237) - CVE-2023-4237 ansible automation platform: ec2_key module prints out the private key directly to the standard output

Summary: CVE-2023-4237 ansible automation platform: ec2_key module prints out the priv...

Keywords:
Status:	NEW
Alias:	CVE-2023-4237
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2229966
TreeView+	depends on / blocked

Reported:	2023-08-08 11:15 UTC by Vipul Nair
Modified:	2023-12-01 11:00 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Vipul Nair 2023-08-08 11:15:56 UTC

"When creating a new keypair the ec2_key module prints out the private key directly to the standard output. I wasn't able to find any way to disable this behavior in the module's documentation. This makes it unusable in any kind of public CI workflow such as GHA."

Confirmed impacting all collection releases, and back to ansible-core 2.8 (did not test further back).

Comment 4 Borja Tarraso 2023-11-17 19:45:59 UTC

This issue has been solved in the following releases:

https://access.redhat.com/errata/RHBA-2023:5666
https://access.redhat.com/errata/RHBA-2023:5653

Note You need to log in before you can comment on or make changes to this bug.