CVE-2022-3697

moderate-risk

Published 2022-10-28

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Ansible

Ansible Collection

Affected Vendors

Redhat

References (4)

Third Party Advisory https://github.com/ansible-collections/amazon.aws/pull/1199

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Third Party Advisory https://github.com/ansible-collections/amazon.aws/pull/1199

https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 9/34 · Low