Fluid Attacks Database

Description

Ansible may expose private key A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible-core	>=2.8.0 <=2.15.2	2.15.2rc1
debian 13	ansible	>=0 <9.4.0+dfsg-1	9.4.0+dfsg-1
debian 11	ansible	=2.10.7+merged+base+2.10.8+dfsg-1 \|\| >=0 <2.10.7+merged+base+2.10.17+dfsg-0+deb11u1	2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
debian 12	ansible	=7.3.0+dfsg-1 \|\| =7.7.0+dfsg-1 \|\| =7.7.0+dfsg-2 \|\| =7.7.0+dfsg-3 \|\| >=0 <7.7.0+dfsg-3+deb12u1	7.7.0+dfsg-3+deb12u1
debian 14	ansible	>=0 <9.4.0+dfsg-1	9.4.0+dfsg-1

Aliases

1. CVE-2023-42372. NVD-2023-42373. OSV-2023-42374. OSV-DEBIAN-2023-42375. GCVE-2023-42376. access.redhat.com7. access.redhat.com8. ACCESS-CVE-2023-42379. SECURITY-TRACKER-CVE-2023-4237

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=2229979