CVE-2023-4237 – Platform: ec2_key module prints out the private key directly to the standard output
https://notcve.org/view.php?id=CVE-2023-4237
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability. Se encontró una falla en la plataforma de automatización Ansible. Al crear un nuevo par de claves, el módulo ec2_key imprime la clave privada directamente en la salida estándar. • https://access.redhat.com/errata/RHBA-2023:5653 https://access.redhat.com/errata/RHBA-2023:5666 https://access.redhat.com/security/cve/CVE-2023-4237 https://bugzilla.redhat.com/show_bug.cgi?id=2229979 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVE-2023-32983
https://notcve.org/view.php?id=CVE-2023-32983
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2023-32982
https://notcve.org/view.php?id=CVE-2023-32982
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-311: Missing Encryption of Sensitive Data •
CVE-2022-3644 – Pulp: Tokens stored in plaintext
https://notcve.org/view.php?id=CVE-2022-3644
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only. La colección remota para pulp_ansible almacena tokens en texto plano en lugar de usar el campo encriptado de pulp y los expone en modo de lectura/escritura por medio de la API () en lugar de marcarla como sólo de escritura A flaw exists in the collection remote for pulp_ansible, where tokens are stored in plaintext instead of using pulp's encrypted field. This flaw allows an attacker with sufficient privileges to read the stored tokens, resulting in the loss of confidentiality. • https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/models.py#L234 https://access.redhat.com/security/cve/CVE-2022-3644 https://bugzilla.redhat.com/show_bug.cgi?id=2131990 • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVE-2022-3205 – Controller: cross site scripting in automation controller ui
https://notcve.org/view.php?id=CVE-2022-3205
Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection Se presenta un ataque de tipo un XSS en la Interfaz de Usuario del controlador de automatización en el que el nombre del proyecto es susceptible de inyección de tipo XSS • https://access.redhat.com/security/cve/CVE-2022-3205 https://bugzilla.redhat.com/show_bug.cgi?id=2120597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •