CVE-2022-3697

NameCVE-2022-3697
DescriptionA flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)buster, buster (security)2.7.7+dfsg-1+deb10u1vulnerable
bullseye2.10.7+merged+base+2.10.8+dfsg-1vulnerable
bookworm, sid7.3.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)7.0.0+dfsg-1

Notes

[bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2137664
https://github.com/ansible-collections/amazon.aws/pull/1199
Search for package or bug name: Reporting problems