CVE-2022-3697 — Ansible leaks password to logs

Description

A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.

How to fix CVE-2022-3697

To remediate CVE-2022-3697, upgrade the affected package to a fixed version below.

—upgrade to 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 or later
—upgrade to 7.0.0 or later

Is CVE-2022-3697 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
>= 2.5.0, < 7.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-3697
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-3697
PATCHgithub.com/ansible/ansible
WEBgithub.com/ansible/ansible/pull/35749
WEB