Bug 2232324 (CVE-2023-4380) - CVE-2023-4380 Ansible Automation platform: token exposed at importing project
Summary: CVE-2023-4380 Ansible Automation platform: token exposed at importing project
Keywords:
Status: NEW
Alias: CVE-2023-4380
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2232586
TreeView+ depends on / blocked
 
Reported: 2023-08-16 10:08 UTC by Vipul Nair
Modified: 2024-02-26 03:10 UTC (History)
18 users (show)

Fixed In Version: automation-eda-controller 1.0.1
Doc Type: If docs needed, set a value
Doc Text:
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4693 0 None None None 2023-08-21 21:49:40 UTC

Comment 4 errata-xmlrpc 2023-08-21 21:49:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
Comment 5 Vipul Nair 2023-08-23 12:19:54 UTC 
When importing a project with incorrect credentials leads to credentials being logged in plain text.
Comment 6 John Helmert III 2023-11-28 22:56:37 UTC 
> A logic flaw exists in Ansible. Whenever a private project is created with incorrect credentials, 

So.. not an Ansible, but rather in "Red Hat Ansible Automation Platform".
Comment 7 John Helmert III 2023-11-28 22:57:03 UTC 
not in Ansible** :)
Comment 9 Vipul Nair 2024-01-01 20:01:21 UTC 
Corrected thank you.
Comment 10 John Helmert III 2024-01-06 20:40:32 UTC 
Why am I needinfo'd?
Note You need to log in before you can comment on or make changes to this bug.