CVE-2023-4237

Platform: ec2_key module prints out the private key directly to the standard output

Description

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.

References

Link	Tags
https://access.redhat.com/errata/RHBA-2023:5653	vendor advisory
https://access.redhat.com/errata/RHBA-2023:5666	vendor advisory
https://access.redhat.com/security/cve/CVE-2023-4237	vdb entry vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2229979	issue tracking vendor advisory
https://security.netapp.com/advisory/ntap-20241025-0002/

Frequently Asked Questions

What is the severity of CVE-2023-4237?: CVE-2023-4237 has been scored as a high severity vulnerability.
How to fix CVE-2023-4237?: To fix CVE-2023-4237, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-4237 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-4237 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4237?: CVE-2023-4237 affects Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8, Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8, Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9, Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9.

Description

Category

CWE-497 – Exposure of Sensitive System Information to an Unauthorized Control Sphere

References

Frequently Asked Questions