Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-23931 CVE-2023-40267 |
| CWE-ID | CWE-388 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
python3x-gitpython (Red Hat package) Operating systems & Components / Operating system package or component python-gitpython (Red Hat package) Operating systems & Components / Operating system package or component automation-controller (Red Hat package) Operating systems & Components / Operating system package or component ansible-core (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Error Handling
EUVDB-ID: #VU72036
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-23931
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows an attacker to misuse Python API.
The vulnerability exists due to a soundness bug within the Cipher.update_into function, which can allow immutable objects (such as bytes) to be mutated. A malicious programmer can misuse Python API to introduce unexpected behavior into the application.
Install updates from vendor's website.
python3x-gitpython (Red Hat package): before 3.1.32-1.el8ap
python-gitpython (Red Hat package): before 3.1.32-1.el9ap
automation-controller (Red Hat package): before 4.4.3-1.el8ap
ansible-core (Red Hat package): before 2.15.3-1.el8ap
CPE2.3- cpe:2.3:a:red_hat:python3x-gitpython_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:python-gitpython_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:automation-controller_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:ansible-core_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:4971
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU79631
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-40267
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and compromise the affected system.
Note, the vulnerability exists due to incomplete fix for CVE-2022-24439.
Install updates from vendor's website.
python3x-gitpython (Red Hat package): before 3.1.32-1.el8ap
python-gitpython (Red Hat package): before 3.1.32-1.el9ap
automation-controller (Red Hat package): before 4.4.3-1.el8ap
ansible-core (Red Hat package): before 2.15.3-1.el8ap
CPE2.3- cpe:2.3:a:red_hat:python3x-gitpython_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:python-gitpython_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:automation-controller_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:a:red_hat:ansible-core_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2023:4971
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
