CVE-2022-3644
MEDIUM
Published Oct 25, 20223y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Published Oct 25, 2022 3y ago
Last Modified Jun 17, 2026 2w ago
Description
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 2
CWE-256
CWE-522
Affected Products 4
| Vendor | Product | Version | Range |
|---|---|---|---|
| pulpproject | pulp_ansible | * | any |
| redhat | ansible_automation_platform | 2.0 | any |
| redhat | satellite | 6.0 | any |
| redhat | update_infrastructure | 3.0 | any |
References 1
- github.com https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/models.py#L234
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.