Red Hat Ansible Automation Platform Developer
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Ansible Automation Platform Developer.
By the Year
In 2025 there have been 3 vulnerabilities in Red Hat Ansible Automation Platform Developer with an average score of 7.6 out of ten. Last year, in 2024 Ansible Automation Platform Developer had 4 security vulnerabilities published. Right now, Ansible Automation Platform Developer is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.56.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 3 | 7.63 |
| 2024 | 4 | 6.08 |
| 2023 | 4 | 6.55 |
It may take a day or so for new Ansible Automation Platform Developer vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Ansible Automation Platform Developer Security Vulnerabilities
Ansible AAP Gateway CSRF Vulnerability (CVE-2025-5988)
CVE-2025-5988
5.3 - Medium
- August 04, 2025
A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.
Session Riding
Ansible EDA Git ls-remote Injection Enables Command Exec
CVE-2025-49520
8.8 - High
- June 30, 2025
A flaw was found in Ansible Automation Platforms EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
Argument Injection
Authenticated RCE via Jinja2 Injection in Ansible Automation Platform EDA
CVE-2025-49521
8.8 - High
- June 30, 2025
A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.
Code Injection
Ansible User Module Privilege Escalation
CVE-2024-9902
6.3 - Medium
- November 06, 2024
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
AuthZ
Ansible include_vars leak: Vault secrets exposed in logs
CVE-2024-8775
5.5 - Medium
- September 14, 2024
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
Insertion of Sensitive Information into Log File
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
Ansible Core Info Disclosure via ANSIBLE_NO_LOG Ignored
CVE-2024-0690
5 - Medium
- February 06, 2024
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
Improper Output Neutralization for Logs
An absolute path traversal attack exists in the Ansible automation platform
CVE-2023-5115
6.3 - Medium
- December 18, 2023
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
Absolute Path Traversal
A path traversal vulnerability exists in Ansible when extracting tarballs
CVE-2023-5189
6.3 - Medium
- November 14, 2023
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
Relative Path Traversal
An HTML injection flaw was found in Controller in the user interface settings
CVE-2023-3971
7.3 - High
- October 04, 2023
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.
Basic XSS
A logic flaw exists in Ansible Automation platform
CVE-2023-4380
6.3 - Medium
- October 04, 2023
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.
Insertion of Sensitive Information into Log File
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Ansible Automation Platform Developer or by Red Hat? Click the Watch button to subscribe.
