{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49520", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-06-06T14:33:40.850Z", "datePublished": "2025-06-30T20:45:28.706Z", "dateUpdated": "2025-07-01T01:53:36.401Z"}, "containers": {"cna": {"title": "Event-driven-ansible: authenticated argument injection in git url in eda project creation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Automation Platform\u2019s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-eda-controller", "defaultStatus": "affected", "versions": [{"version": "0:1.1.11-1.el8ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-eda-controller", "defaultStatus": "affected", "versions": [{"version": "0:1.1.11-1.el9ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:9986", "name": "RHSA-2025:9986", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-49520", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370812", "name": "RHBZ#2370812", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-06-30T20:43:13.185Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-06-06T15:04:28.551000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-06-30T20:43:13.185000+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-07-01T01:53:36.401Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Automation Platform\u2019s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access."}], "id": "CVE-2025-49520", "lastModified": "2025-07-01T02:15:22.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-06-30T21:15:30.913", "references": [{"source": "[email protected]", "url": "https://access.redhat.com/errata/RHSA-2025:9986"}, {"source": "[email protected]", "url": "https://access.redhat.com/security/cve/CVE-2025-49520"}, {"source": "[email protected]", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370812"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "event-driven-ansible: Authenticated Argument Injection in Git URL in EDA Project Creation", "id": "2370812", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370812"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Ansible Automation Platform\u2019s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-49520", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "event-driven-ansible", "product_name": "Red Hat Ansible Automation Platform 2"}], "public_date": "2025-06-30T20:43:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-49520\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49520"], "statement": "The Red Hat Product Security team has assessed the severity of this vulnerability as Important. Although authentication is required, the flaw allows remote code execution and token theft within containerized environments like OpenShift. The vulnerability stems from a lack of input validation on user-supplied Git URLs passed to git commands.", "threat_severity": "Important"}