Bugzilla – Bug 1214115
VUL-0: CVE-2023-4237: ansible,ansible1: ec2_key module prints out the private key directly to the standard output
Last modified: 2024-01-23 14:53:10 UTC
CVE-2023-4237 "When creating a new keypair the ec2_key module prints out the private key directly to the standard output. I wasn't able to find any way to disable this behavior in the module's documentation. This makes it unusable in any kind of public CI workflow such as GHA." Confirmed impacting all collection releases, and back to ansible-core 2.8 (did not test further back). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4237 https://bugzilla.redhat.com/show_bug.cgi?id=2229979
We haven't yet had time to look into this in detail, we have a long backlog of bugs and this one having a medium (P3) priority did not help its case. If you bump the priority we can move this higher in our backlog. For SUMA we submitted ansible to have it available on a SLE-based control node that's operated by SUMA. It's not obvious to me if the reported behavior is a valid threat in our scenario. I think we show stdout in places that should not contain a private key, but I'm not sure that's the case for this specific output. We need to analyze this.
Changed the priority so that we could take it into work at SUMA bug squad