CVE-2020-25635

A flaw in the Ansible aws_ssm connection plugin prevents garbage collection of files transferred to S3 buckets during playbook execution [1][3]. Files remain in the bucket even after the playbook run is completed, directly affecting data confidentiality [1]. The issue stems from missing cleanup logic that should remove transferred files or use properly namespaced folders to prevent data leakage [3].

The aws_ssm connection plugin is used to transfer files to AWS instances via SSM, storing them temporarily in an S3 bucket. The attack surface is limited to users who have access to the S3 bucket used for file transfers. An attacker could gain access to those leftover files if the bucket permissions are misconfigured or if the bucket's lifecycle policies do not automatically purge stale objects. No authentication to the Ansible control node is required; the risk is primarily to the confidentiality of data stored in the shared S3 bucket [1].

A successful attacker could read sensitive data that was transferred during playbook runs, such as configuration files, scripts, or credentials, which could lead to further compromise of AWS resources or other systems managed by Ansible. The exposure directly impacts data confidentiality, as stated in the CVE description [1].

The vulnerability was fixed in the community.aws collection via pull request #237, which introduced per-host namespaced folders in the S3 bucket and ensures transferred files are deleted after use [3]. Users should update the community.aws collection to the patched version to remediate the issue. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.