CVE-2022-3644 - OpenCVE

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Ansible Automation Platform Update Infrastructure Satellite
Pulpproject	Pulp Ansible

Configuration 1 [-]

cpe:2.3:a:pulpproject:pulp_ansible:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:ansible_automation_platform:2.0:::::::*
	cpe:2.3:a:redhat:satellite:6.0:::::::*
	cpe:2.3:a:redhat:update_infrastructure:3.0:::::::*

References

Link	Resource
https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/models.py#L234	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-10-25T00:00:00

Updated: 2022-10-25T00:00:00

Reserved: 2022-10-21T00:00:00

Link: CVE-2022-3644

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-10-25T18:15:10.020

Modified: 2022-10-28T19:01:21.457

Link: CVE-2022-3644

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pulpproject:pulp_ansible:-:*:*:*:*:*:*:*", "matchCriteriaId": "4DCED721-A508-4E93-ACF5-AB2B6C4BF2C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B4BE2D6-43C3-4065-A213-5DB1325DC78F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "848C92A9-0677-442B-8D52-A448F2019903", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:update_infrastructure:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "812C62CE-7B5A-491C-A02E-0E848D1FD780", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only."}, {"lang": "es", "value": "La colecci\u00f3n remota para pulp_ansible almacena tokens en texto plano en lugar de usar el campo encriptado de pulp y los expone en modo de lectura/escritura por medio de la API () en lugar de marcarla como s\u00f3lo de escritura"}], "id": "CVE-2022-3644", "lastModified": "2022-10-28T19:01:21.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-25T18:15:10.020", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/models.py#L234"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-256"}], "source": "secalert@redhat.com", "type": "Secondary"}]}