CVE-2023-4237

NameCVE-2023-4237
DescriptionA flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1055300

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie, jessie (lts)1.7.2+dfsg-2+deb8u3vulnerable
stretch (security), stretch (lts), stretch2.2.1.0-2+deb9u3vulnerable
buster (security), buster, buster (lts)2.7.7+dfsg-1+deb10u2vulnerable
bullseye2.10.7+merged+base+2.10.17+dfsg-0+deb11u1fixed
bookworm7.7.0+dfsg-3+deb12u1fixed
sid, trixie10.6.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcestretch(unfixed)end-of-life
ansiblesourcebullseye2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
ansiblesourcebookworm7.7.0+dfsg-3+deb12u1
ansiblesource(unstable)9.4.0+dfsg-11055300

Notes

[buster] - ansible <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2229979
https://github.com/advisories/GHSA-ww3m-ffrm-qvqv
https://github.com/ansible-collections/amazon.aws/pull/1704
Fixed by: https://github.com/ansible-collections/amazon.aws/commit/1a077fb3a15241db8964dc086d3b15370bbd1e4a (7.0.0)

Search for package or bug name: Reporting problems