VYPR

Ansible Automation Platform

by Red Hat

CVEs (24)

  • CVE-2023-44487HigKEVOct 10, 2023
    risk 0.65cvss 7.5epss 1.00

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2025-49521HigJun 30, 2025
    risk 0.57cvss 8.8epss 0.00

    A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on…

  • CVE-2025-49520HigJun 30, 2025
    risk 0.57cvss 8.8epss 0.00

    A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In…

  • CVE-2025-14025HigJan 8, 2026
    risk 0.55cvss 8.5epss 0.00

    A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g.,…

  • CVE-2024-1657HigApr 25, 2024
    risk 0.53cvss 8.1epss 0.00

    A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting…

  • CVE-2025-57847MedApr 8, 2026
    risk 0.42cvss 6.4epss 0.00

    A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within…

  • CVE-2024-9620MedOct 8, 2024
    risk 0.34cvss 5.3epss 0.00

    A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An…

  • CVE-2025-7738MedJul 31, 2025
    risk 0.29cvss 4.4epss 0.00

    A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited…

  • CVE-2024-11483MedNov 25, 2024
    risk 0.26cvss 5.0epss 0.01

    A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2…

  • CVE-2025-9909Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//) prefix in the gateway_path. A malicious or socially engineered administrator…

  • CVE-2025-9908Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via…

  • CVE-2025-9907Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructure headers via the test_headers field when an event stream is in test mode. The…

  • CVE-2025-53861Jul 11, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data.

  • CVE-2025-53862Jul 11, 2025
    risk 0.00cvss epss 0.00

    A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information.

  • CVE-2023-6681Feb 12, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a…

  • CVE-2023-5115Dec 18, 2023
    risk 0.00cvss epss 0.01

    An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

  • CVE-2023-5764Dec 12, 2023
    risk 0.00cvss epss 0.01

    A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying…

  • CVE-2023-5189Nov 14, 2023
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

  • CVE-2022-3248Oct 5, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in OpenShift API, as admission checks do not enforce "custom-host" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.

  • CVE-2023-3971Oct 4, 2023
    risk 0.00cvss epss 0.01

    An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Page 1 of 2