Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Error Handling
EUVDB-ID: #VU72036
Risk: Low
CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-23931
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows an attacker to misuse Python API.
The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.
Install updates from vendor's website.
Ansible Automation Platform: 2.4
python3x-rsa (Red Hat package): before 4.7.2-1.el8ap
python3x-requests (Red Hat package): before 2.31.0-1.el8ap
python3x-django (Red Hat package): before 3.2.20-1.el8ap
python3x-cryptography (Red Hat package): before 38.0.4-2.el8ap
python-rsa (Red Hat package): before 4.7.2-1.el9ap
python-requests (Red Hat package): before 2.31.0-1.el9ap
python-django (Red Hat package): before 3.2.20-1.el9ap
python-cryptography (Red Hat package): before 38.0.4-2.el9ap
automation-eda-controller (Red Hat package): before 1.0.1-1.el9ap
External linkshttp://access.redhat.com/errata/RHSA-2023:4693
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU77164
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-32681
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Ansible Automation Platform: 2.4
python3x-rsa (Red Hat package): before 4.7.2-1.el8ap
python3x-requests (Red Hat package): before 2.31.0-1.el8ap
python3x-django (Red Hat package): before 3.2.20-1.el8ap
python3x-cryptography (Red Hat package): before 38.0.4-2.el8ap
python-rsa (Red Hat package): before 4.7.2-1.el9ap
python-requests (Red Hat package): before 2.31.0-1.el9ap
python-django (Red Hat package): before 3.2.20-1.el9ap
python-cryptography (Red Hat package): before 38.0.4-2.el9ap
automation-eda-controller (Red Hat package): before 1.0.1-1.el9ap
External linkshttp://access.redhat.com/errata/RHSA-2023:4693
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Inefficient regular expression complexity
EUVDB-ID: #VU77880
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36053
CWE-ID:
CWE-1333 - Inefficient Regular Expression Complexity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within EmailValidator and URLValidator. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Install updates from vendor's website.
Ansible Automation Platform: 2.4
python3x-rsa (Red Hat package): before 4.7.2-1.el8ap
python3x-requests (Red Hat package): before 2.31.0-1.el8ap
python3x-django (Red Hat package): before 3.2.20-1.el8ap
python3x-cryptography (Red Hat package): before 38.0.4-2.el8ap
python-rsa (Red Hat package): before 4.7.2-1.el9ap
python-requests (Red Hat package): before 2.31.0-1.el9ap
python-django (Red Hat package): before 3.2.20-1.el9ap
python-cryptography (Red Hat package): before 38.0.4-2.el9ap
automation-eda-controller (Red Hat package): before 1.0.1-1.el9ap
External linkshttp://access.redhat.com/errata/RHSA-2023:4693
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU79815
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-4380
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in automation-eda-controller, which exposes token during project import. A local user can gain access to sensitive information.
Install updates from vendor's website.
Ansible Automation Platform: 2.4
python3x-rsa (Red Hat package): before 4.7.2-1.el8ap
python3x-requests (Red Hat package): before 2.31.0-1.el8ap
python3x-django (Red Hat package): before 3.2.20-1.el8ap
python3x-cryptography (Red Hat package): before 38.0.4-2.el8ap
python-rsa (Red Hat package): before 4.7.2-1.el9ap
python-requests (Red Hat package): before 2.31.0-1.el9ap
python-django (Red Hat package): before 3.2.20-1.el9ap
python-cryptography (Red Hat package): before 38.0.4-2.el9ap
automation-eda-controller (Red Hat package): before 1.0.1-1.el9ap
External linkshttp://access.redhat.com/errata/RHSA-2023:4693
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
