CVE-2022-3644
Aliases:GHSA-qv37-mfjf-42h8
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Modified
Published: 25 Oct 2022, 00:00
Last modified:07 May 2025, 19:38
Vulnerability Summary
Overall Risk (default)
medium
32/100 CVSS Score
5.5 MEDIUM
v3.1 (cve.org)
EPSS Score
0.05% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
25 Oct 2022, 00:00
Published
Vulnerability first disclosed
07 May 2025, 19:38
Last Modified
Vulnerability information updated
Description
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Trends
Current EPSS score: 0.05%• Percentile: 15%
Techniques & Countermeasures
- CWE-256•Plaintext Storage of a Password
The product stores a password in plaintext within resources such as memory or files.
- CWE-522•Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Affected Systems
- pulpproject•pulp_ansible
na
- PyPI•pulp-ansible
< 0.15.0
- redhat•ansible_automation_platform
2.0
- redhat•satellite
6.0
- redhat•update_infrastructure
3.0