Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9

1) Resource exhaustion

EUVDB-ID: #VU86190

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24680

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in intcomma template filter. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU85884

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2024-23829

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Path traversal

EUVDB-ID: #VU85886

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2024-23334

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in aiohttp.web.static(follow_symlinks=True). A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Request examples:

For windows: /static/../D:\flag.txt Poc

For Linux: /static/../../../../etc/passwd

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

4) Cross-site scripting

EUVDB-ID: #VU85368

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-22195

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the xmlattr filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU83930

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-49083

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when calling the load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() functions. A remote attacker can pass specially crafted PKCS7 blob/certificate certificate to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU83631

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-47627

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when AIOHTTP_NO_EXTENSIONS is enabled. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU82547

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-46137

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Cross-site request forgery

EUVDB-ID: #VU82558

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45857

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Path traversal

EUVDB-ID: #VU81056

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-41040

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when reading from the ".git" directory. A remote attacker can prepare a specially crafted ".git" file with directory traversal characters in file names and force the application to read these files from the local system. This can result in checking for existence of a specific files on the system or perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Inefficient regular expression complexity

EUVDB-ID: #VU87033

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27351

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in django.utils.text.Truncator.words(). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory leak

EUVDB-ID: #VU87830

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-1394

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Resource exhaustion

EUVDB-ID: #VU83928

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39326

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP chunked requests. A remote attacker can send specially crafted HTTP requests to the server and consume excessive memory resources.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-pulpcore (Red Hat package): before 3.28.24-1.el8ap

python3x-django (Red Hat package): before 4.2.11-1.el8ap

python3x-aiohttp (Red Hat package): before 3.9.3-1.el8ap

receptor (Red Hat package): before 1.4.5-1.el9ap

python-pulpcore (Red Hat package): before 3.28.24-1.el9ap

python-django (Red Hat package): before 4.2.11-1.el9ap

python-aiohttp (Red Hat package): before 3.9.3-1.el9ap

automation-controller (Red Hat package): before 4.5.5-2.el9ap

ansible-runner (Red Hat package): before 2.3.6-1.el9ap

ansible-core (Red Hat package): before 2.15.10-1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:1640

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.