cvelistv5 - cve-2022-3697

CVE-2022-3697 (GCVE-0-2022-3697)

Vulnerability from cvelistv5 – Published: 2022-10-28 00:00 – Updated: 2025-02-13 16:32

Summary

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Severity ?

No CVSS data available.

CWE

CWE-233

Assigner

redhat

References

URL

Tags

	https://github.com/ansible-collections/amazon.aws…
	https://lists.debian.org/debian-lts-announce/2023…

Impacted products

	Vendor	Product	Version
	n/a	ansible, ansible community.aws, ansible amazon.aws	Affected: ansible from 2.5.0 before 2.10 Affected: ansible community.aws before 2.0.0 Affected: ansible amazon.aws from 2.1.0 before 5.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:14:03.351Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ansible, ansible community.aws, ansible amazon.aws",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "ansible from 2.5.0 before 2.10"
            },
            {
              "status": "affected",
              "version": "ansible community.aws before 2.0.0"
            },
            {
              "status": "affected",
              "version": "ansible amazon.aws from 2.1.0 before 5.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-233",
              "description": "CWE-233",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-28T19:06:27.294Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3697",
    "datePublished": "2022-10-28T00:00:00.000Z",
    "dateReserved": "2022-10-26T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:32:52.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.5.0\", \"versionEndExcluding\": \"2.10.0\", \"matchCriteriaId\": \"9DBC8935-27B7-4048-92C9-942D24D116A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*\", \"versionEndExcluding\": \"2.0.0\", \"matchCriteriaId\": \"2549F857-19D5-4359-BCE4-2DAB72D52F5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*\", \"versionStartIncluding\": \"2.1.0\", \"versionEndExcluding\": \"5.1.0\", \"matchCriteriaId\": \"D8990581-F433-4EB1-96B8-383A4342D6F7\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una falla en Ansible en la colecci\\u00f3n amazon.aws al usar el par\\u00e1metro tower_callback del m\\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\\u00f3dulo maneja el par\\u00e1metro de manera insegura, lo que provoca que la contrase\\u00f1a se filtre en los registros.\"}]",
      "id": "CVE-2022-3697",
      "lastModified": "2024-11-21T07:20:03.293",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2022-10-28T16:15:16.403",
      "references": "[{\"url\": \"https://github.com/ansible-collections/amazon.aws/pull/1199\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://github.com/ansible-collections/amazon.aws/pull/1199\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-233\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-3697\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-10-28T16:15:16.403\",\"lastModified\":\"2024-11-21T07:20:03.293\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-233\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.10.0\",\"matchCriteriaId\":\"9DBC8935-27B7-4048-92C9-942D24D116A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*\",\"versionEndExcluding\":\"2.0.0\",\"matchCriteriaId\":\"2549F857-19D5-4359-BCE4-2DAB72D52F5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"5.1.0\",\"matchCriteriaId\":\"D8990581-F433-4EB1-96B8-383A4342D6F7\"}]}]}],\"references\":[{\"url\":\"https://github.com/ansible-collections/amazon.aws/pull/1199\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/ansible-collections/amazon.aws/pull/1199\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GSD-2022-3697

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-3697

Aliases

CVE-2022-3697

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-3697",
    "id": "GSD-2022-3697",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-3697.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-3697"
      ],
      "details": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
      "id": "GSD-2022-3697",
      "modified": "2023-12-13T01:19:39.902559Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2022-3697",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "ansible, ansible community.aws, ansible amazon.aws",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "ansible from 2.5.0 before 2.10"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "ansible community.aws before 2.0.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "ansible amazon.aws from 2.1.0 before 5.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-233",
                "lang": "eng",
                "value": "CWE-233"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ansible-collections/amazon.aws/pull/1199",
            "refsource": "MISC",
            "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
          },
          {
            "name": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html",
            "refsource": "MISC",
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.5.0,\u003c2.10.0",
          "affected_versions": "All versions starting from 2.5.0 before 2.10.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-11-01",
          "description": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
          "fixed_versions": [
            "2.10.0"
          ],
          "identifier": "CVE-2022-3697",
          "identifiers": [
            "CVE-2022-3697"
          ],
          "not_impacted": "All versions before 2.5.0, all versions starting from 2.10.0",
          "package_slug": "pypi/ansible",
          "pubdate": "2022-10-28",
          "solution": "Upgrade to version 2.10.0 or above.",
          "title": "Improper Handling of Parameters",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-3697",
            "https://github.com/ansible-collections/amazon.aws/pull/1199"
          ],
          "uuid": "e70f8069-fcf3-4722-bcc3-ae4122e5142e"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "9DBC8935-27B7-4048-92C9-942D24D116A0",
                    "versionEndExcluding": "2.10.0",
                    "versionStartIncluding": "2.5.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*",
                    "matchCriteriaId": "2549F857-19D5-4359-BCE4-2DAB72D52F5B",
                    "versionEndExcluding": "2.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*",
                    "matchCriteriaId": "D8990581-F433-4EB1-96B8-383A4342D6F7",
                    "versionEndExcluding": "5.1.0",
                    "versionStartIncluding": "2.1.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."
          },
          {
            "lang": "es",
            "value": "Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros."
          }
        ],
        "id": "CVE-2022-3697",
        "lastModified": "2023-12-28T19:15:14.283",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-10-28T16:15:16.403",
        "references": [
          {
            "source": "secalert@redhat.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
          },
          {
            "source": "secalert@redhat.com",
            "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
          }
        ],
        "sourceIdentifier": "secalert@redhat.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-Other"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-233"
              }
            ],
            "source": "secalert@redhat.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

MSRC_CVE-2022-3697

Vulnerability from csaf_microsoft - Published: 2022-10-02 00:00 - Updated: 2025-10-01 23:11

Summary

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-3697 A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-3697.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
    "tracking": {
      "current_release_date": "2025-10-01T23:11:21.000Z",
      "generator": {
        "date": "2025-10-24T03:05:14.183Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-3697",
      "initial_release_date": "2022-10-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-10-01T23:11:21.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.0",
                "product": {
                  "name": "CBL Mariner 1.0",
                  "product_id": "16820"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003ccm1 ansible 2.9.27-2",
                "product": {
                  "name": "\u003ccm1 ansible 2.9.27-2",
                  "product_id": "1"
                }
              },
              {
                "category": "product_version",
                "name": "cm1 ansible 2.9.27-2",
                "product": {
                  "name": "cm1 ansible 2.9.27-2",
                  "product_id": "18563"
                }
              }
            ],
            "category": "product_name",
            "name": "ansible"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003ccm1 ansible 2.9.27-2 as a component of CBL Mariner 1.0",
          "product_id": "16820-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "16820"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cm1 ansible 2.9.27-2 as a component of CBL Mariner 1.0",
          "product_id": "18563-16820"
        },
        "product_reference": "18563",
        "relates_to_product_reference": "16820"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-3697",
      "cwe": {
        "id": "CWE-233",
        "name": "Improper Handling of Parameters"
      },
      "notes": [
        {
          "category": "general",
          "text": "redhat",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "18563-16820"
        ],
        "known_affected": [
          "16820-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-3697 A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-3697.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-01T23:11:21.000Z",
          "details": "2.9.27-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "16820-1"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "16820-1"
          ]
        }
      ],
      "title": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."
    }
  ]
}

WID-SEC-W-2022-1899

Vulnerability from csaf_certbund - Published: 2022-10-30 23:00 - Updated: 2025-02-12 23:00

Summary

Ansible: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Ansible ist eine Software zur Automatisierung von Cloud Provisionierung, zum Konfigurationsmanagement und zur Anwendungsbereitstellung.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Ansible ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Ansible ist eine Software zur Automatisierung von Cloud Provisionierung,\r\nzum Konfigurationsmanagement und zur Anwendungsbereitstellung.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Ansible ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1899 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1899.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1899 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1899"
      },
      {
        "category": "external",
        "summary": "National Vulnerability Database vom 2022-10-30",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3697"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3695 vom 2023-12-28",
        "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6846-1 vom 2024-06-25",
        "url": "https://ubuntu.com/security/notices/USN-6846-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6846-2 vom 2024-12-02",
        "url": "https://ubuntu.com/security/notices/USN-6846-2"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6846-3 vom 2025-02-13",
        "url": "https://ubuntu.com/security/notices/USN-6846-3"
      }
    ],
    "source_lang": "en-US",
    "title": "Ansible: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2025-02-12T23:00:00.000+00:00",
      "generator": {
        "date": "2025-02-13T13:07:16.339+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2022-1899",
      "initial_release_date": "2022-10-30T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-10-30T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-12-28T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-12-01T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-02-12T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        }
      ],
      "status": "final",
      "version": "5"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Ansible",
            "product": {
              "name": "Open Source Ansible",
              "product_id": "T010090",
              "product_identification_helper": {
                "cpe": "cpe:/a:open_source:ansible:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-3697",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Ansible. Der Fehler besteht in der amazon.aws-Sammlung bei der Verwendung des tower_callback-Parameters aus dem amazon.aws.ec2_instance-Modul. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, da das Modul den Parameter unsicher handhabt, was dazu f\u00fchrt, dass das Passwort in den Protokollen offengelegt wird."
        }
      ],
      "product_status": {
        "known_affected": [
          "T010090",
          "2951",
          "T000126"
        ]
      },
      "release_date": "2022-10-30T23:00:00.000+00:00",
      "title": "CVE-2022-3697"
    }
  ]
}

FKIE_CVE-2022-3697

Vulnerability from fkie_nvd - Published: 2022-10-28 16:15 - Updated: 2024-11-21 07:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
secalert@redhat.com	https://github.com/ansible-collections/amazon.aws/pull/1199	Third Party Advisory
secalert@redhat.com	https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ansible-collections/amazon.aws/pull/1199	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Impacted products

Vendor	Product	Version
redhat	ansible	*
redhat	ansible_collection	*
redhat	ansible_collection	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9DBC8935-27B7-4048-92C9-942D24D116A0",
              "versionEndExcluding": "2.10.0",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:community_aws:*:*",
              "matchCriteriaId": "2549F857-19D5-4359-BCE4-2DAB72D52F5B",
              "versionEndExcluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:aws:*:*",
              "matchCriteriaId": "D8990581-F433-4EB1-96B8-383A4342D6F7",
              "versionEndExcluding": "5.1.0",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en Ansible en la colecci\u00f3n amazon.aws al usar el par\u00e1metro tower_callback del m\u00f3dulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el m\u00f3dulo maneja el par\u00e1metro de manera insegura, lo que provoca que la contrase\u00f1a se filtre en los registros."
    }
  ],
  "id": "CVE-2022-3697",
  "lastModified": "2024-11-21T07:20:03.293",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-10-28T16:15:16.403",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-233"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-CPX3-93W7-457X

Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2023-08-31 21:28

Summary

Ansible leaks password to logs

Details

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-233"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-24T23:11:22Z",
    "nvd_published_at": "2022-10-28T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.",
  "id": "GHSA-cpx3-93w7-457x",
  "modified": "2023-08-31T21:28:27Z",
  "published": "2022-10-28T19:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-collections/amazon.aws/pull/1199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/pull/35749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-community/ansible-build-data/blob/main/6/CHANGELOG-v6.rst"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ansible leaks password to logs"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-3697 (GCVE-0-2022-3697)

GSD-2022-3697

MSRC_CVE-2022-3697

WID-SEC-W-2022-1899

FKIE_CVE-2022-3697

GHSA-CPX3-93W7-457X

Tags

Sightings

Nomenclature