Red Hat Ansible Automation Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Ansible Automation Platform.
Recent Red Hat Ansible Automation Platform Security Advisories
Advisory | Title | Published |
---|---|---|
RHSA-2025:4553 | (RHSA-2025:4553) Moderate: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update | May 6, 2025 |
RHSA-2025:3637 | (RHSA-2025:3637) Important: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update | April 7, 2025 |
RHSA-2025:3636 | (RHSA-2025:3636) Important: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update | April 7, 2025 |
RHSA-2025:3162 | (RHSA-2025:3162) Important: Red Hat Ansible Automation Platform 2.5 Container Release Update | March 25, 2025 |
RHSA-2025:3160 | (RHSA-2025:3160) Important: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update | March 25, 2025 |
RHSA-2025:3124 | (RHSA-2025:3124) Important: Red Hat Ansible Automation Platform 2.4 Container Release Update | March 24, 2025 |
RHSA-2025:3123 | (RHSA-2025:3123) Important: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update | March 24, 2025 |
RHSA-2025:2664 | (RHSA-2025:2664) Important: Red Hat Ansible Automation Platform Execution Environments Container Release Update | March 11, 2025 |
RHSA-2025:1101 | (RHSA-2025:1101) Important: Red Hat Ansible Automation Platform Execution Environments Container Release Update | February 5, 2025 |
RHSA-2025:0782 | (RHSA-2025:0782) Moderate: Red Hat Ansible Automation Platform 2.5 Container Release Update | January 28, 2025 |
By the Year
In 2025 there have been 0 vulnerabilities in Red Hat Ansible Automation Platform. Last year, in 2024 Ansible Automation Platform had 3 security vulnerabilities published. Right now, Ansible Automation Platform is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 3 | 6.20 |
2023 | 3 | 7.27 |
2022 | 5 | 6.02 |
2021 | 4 | 7.30 |
2020 | 0 | 0.00 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Ansible Automation Platform vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Ansible Automation Platform Security Vulnerabilities
Ansible Automation Platform OAuth2 Token Privilege Escalation Vulnerability
CVE-2024-11483
5 - Medium
- November 25, 2024
A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the users assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services.
Authorization
A vulnerability was found in aap-gateway
CVE-2024-10033
6.1 - Medium
- October 16, 2024
A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.
XSS
A flaw was found in the python-cryptography package
CVE-2023-50782
7.5 - High
- February 05, 2024
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Side Channel Attack
A path traversal vulnerability exists in Ansible when extracting tarballs
CVE-2023-5189
6.5 - Medium
- November 14, 2023
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
Relative Path Traversal
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in the Ansible Automation Platform
CVE-2023-4237
7.8 - High
- October 04, 2023
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode
CVE-2022-3644
5.5 - Medium
- October 25, 2022
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
Insufficiently Protected Credentials
Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection
CVE-2022-3205
6.1 - Medium
- September 13, 2022
Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection
XSS
An Improper Certificate Validation attack was found in Openshift
CVE-2022-1632
6.5 - Medium
- September 01, 2022
An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.
Improper Certificate Validation
A privilege escalation flaw was found in the Ansible Automation Platform
CVE-2022-2568
6.5 - Medium
- August 18, 2022
A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify the account settings of the superuser account and also remove the superuser privileges.
Improper Privilege Management
A flaw was found in Ansible Galaxy Collections
CVE-2021-3681
5.5 - Medium
- April 18, 2022
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
Insufficiently Protected Credentials
A flaw was found in Ansible, where a user's controller is vulnerable to template injection
CVE-2021-3583
7.1 - High
- September 22, 2021
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
Code Injection
Rejected reason: This vulnerability does not meet the criteria for a security vulnerability
CVE-2021-3533
- June 09, 2021
Rejected reason: This vulnerability does not meet the criteria for a security vulnerability
Rejected reason: This CVE is marked as INVALID and not a bug
CVE-2021-3532
- June 09, 2021
Rejected reason: This CVE is marked as INVALID and not a bug
A flaw was found in the Ansible Engine 2.9.18
CVE-2021-20228
7.5 - High
- April 29, 2021
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Debian Linux or by Red Hat? Click the Watch button to subscribe.
