Platform: ec2_key module prints out the private key directly to the standard output
CVE-2023-4237

7.3HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Ansible Automation Platform 2.4 For Rhel 8
Red Hat Ansible Automation Platform 2.4 For Rhel 9
Vendor
CVE Published:
4 October 2023

Summary

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

References

https://access.redhat.com/errata/RHBA-2023:5653
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2023:5666
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4237
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Jill Rouleau (redhat) for reporting this issue.
.