Platform: ec2_key module prints out the private key directly to the standard output
CVE-2023-4237

7.3HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Ansible Automation Platform 2.4 For Rhel 8
Red Hat Ansible Automation Platform 2.4 For Rhel 9
Vendor
CVE Published:
4 October 2023

Summary

A vulnerability exists within the Ansible Automation Platform that causes the ec2_key module to expose private keys to standard output when generating new keypairs. This flaw can lead to unauthorized access if attackers can access log files, thus compromising the confidentiality and integrity of the system. Users of the Ansible Automation Platform should review their logging practices and ensure proper security measures are taken to protect sensitive information.

References

https://access.redhat.com/errata/RHBA-2023:5653
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2023:5666
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4237
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Jill Rouleau (redhat) for reporting this issue.
.