|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-4237: ansible,ansible1: ec2_key module prints out the private key directly to the standard output | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Robert Frohl <rfrohl> |
| Component: | Incidents | Assignee: | Galaxy Bugs <galaxy-bugs> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P2 - High | CC: | alexander.graul, artem.shiliaev, galaxy-bugs, gayane.osipyan, marina.latini, security-team, stoyan.manolov |
| Version: | unspecified | Flags: | stoyan.manolov:
needinfo?
(galaxy-bugs) |
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/374480/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-4237:6.5:(AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Robert Frohl
2023-08-09 11:52:53 UTC
We haven't yet had time to look into this in detail, we have a long backlog of bugs and this one having a medium (P3) priority did not help its case. If you bump the priority we can move this higher in our backlog. For SUMA we submitted ansible to have it available on a SLE-based control node that's operated by SUMA. It's not obvious to me if the reported behavior is a valid threat in our scenario. I think we show stdout in places that should not contain a private key, but I'm not sure that's the case for this specific output. We need to analyze this. Changed the priority so that we could take it into work at SUMA bug squad |