Filtered by vendor Redhat
Subscriptions
Filtered by product Ansible Automation Platform
Subscriptions
Total
153 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9979 | 1 Redhat | 2 Ansible Automation Platform, Enterprise Linux | 2025-07-05 | 5.3 Medium |
| A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references. | ||||
| CVE-2024-9902 | 1 Redhat | 5 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 2 more | 2025-07-05 | 6.3 Medium |
| A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. | ||||
| CVE-2024-8775 | 1 Redhat | 6 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 3 more | 2025-07-05 | 5.5 Medium |
| A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions. | ||||
| CVE-2024-11079 | 1 Redhat | 5 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 2 more | 2025-07-05 | 5.5 Medium |
| A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. | ||||
| CVE-2024-11831 | 1 Redhat | 33 Acm, Advanced Cluster Security, Ansible Automation Platform and 30 more | 2025-07-04 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2025-49520 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2025-07-03 | 8.8 High |
| A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access. | ||||
| CVE-2025-49521 | 1 Redhat | 3 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside | 2025-07-03 | 8.8 High |
| A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | ||||
| CVE-2024-3727 | 1 Redhat | 18 Acm, Advanced Cluster Security, Ansible Automation Platform and 15 more | 2025-07-02 | 8.3 High |
| A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. | ||||
| CVE-2024-53907 | 2 Djangoproject, Redhat | 4 Django, Ansible Automation Platform, Ansible Automation Platform Developer and 1 more | 2025-06-24 | 7.5 High |
| An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. | ||||
| CVE-2025-3576 | 1 Redhat | 3 Ansible Automation Platform, Enterprise Linux, Openshift | 2025-06-24 | 5.9 Medium |
| A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering. | ||||
| CVE-2023-50782 | 3 Couchbase, Cryptography.io, Redhat | 7 Couchbase Server, Cryptography, Ansible Automation Platform and 4 more | 2025-06-17 | 7.5 High |
| A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. | ||||
| CVE-2024-22195 | 2 Palletsprojects, Redhat | 9 Jinja, Ansible Automation Platform, Ceph Storage and 6 more | 2025-06-17 | 5.4 Medium |
| Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based. | ||||
| CVE-2023-49295 | 2 Quic-go Project, Redhat | 2 Quic-go, Ansible Automation Platform | 2025-06-17 | 6.4 Medium |
| quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4. | ||||
| CVE-2023-29483 | 5 Dnspython, Eventlet, Fedoraproject and 2 more | 9 Dnspython, Eventlet, Fedora and 6 more | 2025-06-17 | 7.0 High |
| eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. | ||||
| CVE-2024-38875 | 2 Djangoproject, Redhat | 5 Django, Ansible Automation Platform, Openstack and 2 more | 2025-06-16 | 7.5 High |
| An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service attack via certain inputs with a very large number of brackets. | ||||
| CVE-2024-39329 | 2 Djangoproject, Redhat | 5 Django, Ansible Automation Platform, Openstack and 2 more | 2025-06-16 | 5.3 Medium |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. | ||||
| CVE-2024-39330 | 2 Djangoproject, Redhat | 5 Django, Ansible Automation Platform, Openstack and 2 more | 2025-06-16 | 4.3 Medium |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the django.core.files.storage.Storage base class, when they override generate_filename() without replicating the file-path validations from the parent class, potentially allow directory traversal via certain inputs during a save() call. (Built-in Storage sub-classes are unaffected.) | ||||
| CVE-2024-39614 | 2 Djangoproject, Redhat | 6 Django, Ansible Automation Platform, Openstack and 3 more | 2025-06-16 | 7.5 High |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. | ||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 367 Http Server, Opensearch Data Prepper, Apisix and 364 more | 2025-06-11 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2024-53908 | 2 Djangoproject, Redhat | 2 Django, Ansible Automation Platform | 2025-06-09 | 9.8 Critical |
| An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.) | ||||