SB20251210209 - Multiple vulnerabilities in Ansible Automation Platform 2.5 packages

Description

This security bulletin contains information about 4 vulnerabilities.

1) SQL injection (CVE-ID: CVE-2025-64459)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.filter(), QuerySet.exclude(), and QuerySet.get(), and the class Q() when using a suitably crafted dictionary, with dictionary expansion, as the _connector argument. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

2) Input validation error (CVE-ID: CVE-2025-9909)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to create hidden routes within the application.

The vulnerability exists due to insufficient validation of user-supplied input when creating routes. A remote privileged user can create routes starting with a double slash (//), that look very much like legitimate URLs. This can be used to set up a "honey-pot" route to capture and exfiltrate user credentials.

3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58754)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits within data: URL decode. A remote attacker can cause a denial of service condition on the target system.

4) Reachable assertion (CVE-ID: CVE-2025-59530)

CWE-ID: CWE-617 - Reachable Assertion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to premature HANDSHAKE_DONE frame. A remote attacker can trigger an assertion in a quic-go client and cause a deial of service condition on the target system.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2025:23069