CVE-2023-4237 – ansible-core

Package

Manager: pip
Name: ansible-core
Vulnerable Version: >=2.8.0 <=2.15.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00072 pctl0.22437

Details

Ansible may expose private key A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

Metadata

Created: 2023-10-04T15:30:35Z
Modified: 2023-10-10T22:29:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-ww3m-ffrm-qvqv/GHSA-ww3m-ffrm-qvqv.json
CWE IDs: ["CWE-497"]
Alternative ID: GHSA-ww3m-ffrm-qvqv
Finding: F017
Auto approve: 1