{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4237", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-08T11:15:05.990Z", "datePublished": "2023-10-04T14:23:20.710Z", "dateUpdated": "2024-11-23T01:27:07.673Z"}, "containers": {"cna": {"title": "Platform: ec2_key module prints out the private key directly to the standard output", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform-24/ee-supported-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.0.0-423", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_cloud_billing:2.4::el8", "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform-24/ee-supported-rhel9", "defaultStatus": "affected", "versions": [{"version": "1.0.0-424", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_cloud_billing:2.4::el8", "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHBA-2023:5653", "name": "RHBA-2023:5653", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHBA-2023:5666", "name": "RHBA-2023:5666", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4237", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229979", "name": "RHBZ#2229979", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-08-08T11:15:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere", "timeline": [{"lang": "en", "time": "2023-08-08T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-08-08T11:15:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Jill Rouleau (redhat) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T01:27:07.673Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHBA-2023:5653", "name": "RHBA-2023:5653", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHBA-2023:5666", "name": "RHBA-2023:5666", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4237", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229979", "name": "RHBZ#2229979", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20241025-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-25T13:07:30.578Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B4BE2D6-43C3-4065-A213-5DB1325DC78F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_collection:*:*:*:*:*:*:*:*", "matchCriteriaId": "60009086-F9BE-4F69-B37C-1F57F8C2C4D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la plataforma de automatizaci\u00f3n Ansible. Al crear un nuevo par de claves, el m\u00f3dulo ec2_key imprime la clave privada directamente en la salida est\u00e1ndar. Esta falla permite que un atacante obtenga esas claves de los archivos de registro, comprometiendo la confidencialidad, integridad y disponibilidad del sistema."}], "id": "CVE-2023-4237", "lastModified": "2024-11-21T08:34:41.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-04T15:15:12.643", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHBA-2023:5653"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHBA-2023:5666"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4237"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229979"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHBA-2023:5653"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHBA-2023:5666"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4237"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229979"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20241025-0002/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Jill Rouleau (redhat) for reporting this issue.", "affected_release": [{"advisory": "RHBA-2023:5653", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHBA-2023:5666", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "ansible-automation-platform-24/ee-supported-rhel8:1.0.0-423", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-10-12T00:00:00Z"}, {"advisory": "RHBA-2023:5653", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-10-10T00:00:00Z"}, {"advisory": "RHBA-2023:5666", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "ansible-automation-platform-24/ee-supported-rhel9:1.0.0-424", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-10-12T00:00:00Z"}], "bugzilla": {"description": "platform: ec2_key module prints out the private key directly to the standard output", "id": "2229979", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2229979"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-497", "details": ["A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.", "A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability."], "name": "CVE-2023-4237", "public_date": "2023-08-08T11:15:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4237\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4237"], "threat_severity": "Moderate"}