Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3697: ec2_instance - validate options on tower_callback by tremble · Pull Request #1199 · ansible-collections/amazon.aws

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

CVE
#amazon

tremble marked this pull request as ready for review

Oct 25, 2022

patchback bot pushed a commit that referenced this pull request

Oct 26, 2022

ec2_instance - validate options on tower_callback

Depends-On: #1202 SUMMARY

Validate options for tower_callback parameter Set tower_callback.set_password (the password) to no_log=True

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME ec2_instance ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis <None> (cherry picked from commit 5fe427c)

patchback bot pushed a commit that referenced this pull request

Oct 26, 2022

ec2_instance - validate options on tower_callback

Depends-On: #1202 SUMMARY

Validate options for tower_callback parameter Set tower_callback.set_password (the password) to no_log=True

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME ec2_instance ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis <None> (cherry picked from commit 5fe427c)

patchback bot pushed a commit that referenced this pull request

Oct 26, 2022

ec2_instance - validate options on tower_callback

Depends-On: #1202 SUMMARY

Validate options for tower_callback parameter Set tower_callback.set_password (the password) to no_log=True

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME ec2_instance ADDITIONAL INFORMATION

Reviewed-by: Alina Buzachis <None> (cherry picked from commit 5fe427c)

softwarefactory-project-zuul bot pushed a commit that referenced this pull request

Oct 27, 2022

[PR #1199/5fe427c6 backport][stable-5] ec2_instance - validate options on tower_callback

This is a backport of PR #1199 as merged into main (5fe427c). Depends-On: #1202 SUMMARY

Validate options for tower_callback parameter Set tower_callback.set_password (the password) to no_log=True

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME ec2_instance ADDITIONAL INFORMATION

Reviewed-by: Jill R <None>

softwarefactory-project-zuul bot pushed a commit that referenced this pull request

Oct 27, 2022

[PR #1199/5fe427c6 backport][stable-4] ec2_instance - validate options on tower_callback

This is a backport of PR #1199 as merged into main (5fe427c). Depends-On: #1202 SUMMARY

Validate options for tower_callback parameter Set tower_callback.set_password (the password) to no_log=True

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME ec2_instance ADDITIONAL INFORMATION

Reviewed-by: Mark Chappell <None>

Related news

Ubuntu Security Notice USN-6846-2

Ubuntu Security Notice 6846-2 - USN-6846-1 fixed vulnerabilities in ansible. The update introduced a regression in ansible. This update fixes the problem. It was discovered that Ansible incorrectly handled certain inputs when using tower_callback parameter. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

Ubuntu Security Notice USN-6846-1

Ubuntu Security Notice 6846-1 - It was discovered that Ansible incorrectly handled certain inputs when using tower_callback parameter. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Ansible incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a Template Injection.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907