878761 – (CVE-2022-3697) <app-admin/ansible-8.3.0: ec2_instance tower_callback credential leakage into logs

Bug 878761 (CVE-2022-3697) - <app-admin/ansible-8.3.0: ec2_instance tower_callback credential leakage into logs

Summary: <app-admin/ansible-8.3.0: ec2_instance tower_callback credential leakage into...

Status:	CONFIRMED

Alias:	CVE-2022-3697

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/ansible-collection...
Whiteboard:	B4 [cleanup glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2022-10-30 00:32 UTC by John Helmert III
Modified:	2023-10-26 12:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-10-30 00:32:30 UTC

CVE-2022-3697:

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Maintainers, are we vulnerable here? Not sure how ansible-collections
patches make their way into our package.

Comment 1 Hans de Graaff gentoo-dev

2023-10-26 12:23:48 UTC

Fixed in https://github.com/ansible-collections/amazon.aws/commit/5fe427c6f4152489b2ed7f8ede86eb9b65940922 first released in amazon.aws 6.0.0.

First fixed version in gentoo is 8.3.0 (7.7.0 still contains amazon.aws 5.x).