{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-3697", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T01:14:03.351Z", "dateReserved": "2022-10-26T00:00:00", "datePublished": "2022-10-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-28T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."}], "affected": [{"vendor": "n/a", "product": "ansible, ansible community.aws, ansible amazon.aws", "versions": [{"version": "ansible from 2.5.0 before 2.10", "status": "affected"}, {"version": "ansible community.aws before 2.0.0", "status": "affected"}, {"version": "ansible amazon.aws from 2.1.0 before 5.1.0", "status": "affected"}]}], "references": [{"url": "https://github.com/ansible-collections/amazon.aws/pull/1199"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-233", "cweId": "CWE-233"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:03.351Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ansible-collections/amazon.aws/pull/1199", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "9DBC8935-27B7-4048-92C9-942D24D116A0", "versionEndExcluding": "2.10.0", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*", "matchCriteriaId": "2549F857-19D5-4359-BCE4-2DAB72D52F5B", "versionEndExcluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*", "matchCriteriaId": "D8990581-F433-4EB1-96B8-383A4342D6F7", "versionEndExcluding": "5.1.0", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros."}], "id": "CVE-2022-3697", "lastModified": "2023-12-28T19:15:14.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-28T16:15:16.403", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"}, {"source": "secalert@redhat.com", "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-233"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Mark Chappell (Red Hat).", "bugzilla": {"description": "ansible: improper handling of tower_callback parameter in amazon.aws collection", "id": "2137664", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137664"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-233", "details": ["A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.", "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."], "name": "CVE-2022-3697", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-20-early-access/ee-supported-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2022-10-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-3697\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-3697\nhttps://github.com/ansible-collections/amazon.aws/pull/1199"], "threat_severity": "Moderate"}