CVE-2022-3697
Description
A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ansible amazon.aws collection's ec2_instance module insecurely handles the tower_callback parameter, leaking the password in plaintext logs.
A flaw was found in Ansible's amazon.aws collection, specifically in the ec2_instance module, related to the tower_callback parameter. The module was handling this parameter insecurely, causing the password supplied via tower_callback to be written in plaintext to log files. This oversight meant that sensitive credentials were exposed to anyone with access to the logs, violating the principle of securing secrets at rest and in transit [1].
Exploitation
An attacker who gains read access to the affected Ansible logs can retrieve the plaintext password. No special network position or authentication beyond log access is required; the exposure is purely a result of the insecure parameter handling. The attack surface is limited to environments where the tower_callback feature is used with the ec2_instance module [2].
Impact
Successful exploitation allows the attacker to obtain the password associated with the tower_callback functionality. With this credential, they could potentially gain unauthorized access to the associated tower (AWX/Ansible Tower) instance, leading to further compromise of managed hosts and automation workflows. The confidentiality of the system is directly impacted [1].
Mitigation
The issue was addressed in a fix merged on October 25, 2022, by setting tower_callback.set_password to no_log=True, which prevents the password from being logged [2]. Users should update the amazon.aws collection to the version containing this fix. As of the publication date, the vulnerability has been patched, and no workaround is necessary if the collection is updated [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.5.0, < 7.0.0 | 7.0.0 |
Affected products
2- Ansible/amazon.aws collectiondescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cpx3-93w7-457xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3697ghsaADVISORY
- github.com/ansible-collections/amazon.aws/pull/1199ghsaWEB
- github.com/ansible-community/ansible-build-data/blob/main/6/CHANGELOG-v6.rstghsaWEB
- github.com/ansible/ansible/pull/35749ghsaWEB
- lists.debian.org/debian-lts-announce/2023/12/msg00018.htmlghsaWEB
News mentions
0No linked articles in our index yet.