Miggo Logo
Miggo Vulnerability Database
CVE-2022-3644

CVE-2022-3644: Plaintext storage of tokens in pulp_ansible

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3644
GHSA ID
GHSA-qv37-mfjf-42h8
EPSS Score
0.06323%
CWE
CWE-256
Published
10/25/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pulp-ansiblepip< 0.15.00.15.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from field definitions in Django models/serializers rather than specific functions. The 'token' field in CollectionRemote (models.py) was stored as plaintext via models.TextField, and the API exposure occurred because the serializer (serializers.py) lacked 'write_only=True'. These are configuration/declaration issues in class attributes rather than executable functions. The fix involved changing the field type to EncryptedTextField and adding write_only=True, which are structural changes rather than function modifications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *oll**tion r*mot* *or pulp_*nsi*l* stor*s tok*ns in pl*int*xt inst*** o* usin* pulp's *n*rypt** *i*l* *n* *xpos*s t**m in r***/writ* mo** vi* t** *PI () inst*** o* m*rkin* it *s writ* only.

Reasoning

T** vuln*r**ility st*ms *rom *i*l* ***initions in *j*n*o mo**ls/s*ri*liz*rs r*t**r t**n sp**i*i* *un*tions. T** 'tok*n' *i*l* in *oll**tionR*mot* (mo**ls.py) w*s stor** *s pl*int*xt vi* mo**ls.T*xt*i*l*, *n* t** *PI *xposur* o**urr** ****us* t** s*ri