Red Hat Ansible Automation Platform OAuth2 Token Scope Bypass Vulnerability

A vulnerability exists in Red Hat Ansible Automation Platform (AAP) that allows read-only OAuth2 API tokens to perform write operations on backend services, such as Controller, Hub, and EDA. This issue arises because read-only token scopes are not properly enforced at the Gateway level for Gateway-specific operations. As a result, an attacker could exploit this vulnerability, although their actions would be limited by the role-based access controls (RBAC) in place.

Impact

Exploitation of this vulnerability allows read-only tokens to bypass restrictions and perform write operations on backend services, potentially leading to unauthorized modifications or creations of resources, depending on the user's permissions.

Reproduction

To reproduce this vulnerability, create a Personal Access Token (PAT) on the Ansible Automation Platform Gateway, ensuring that the token's scope is set to read-only. Then, use this token to attempt a write operation on the Controller component. The operation should succeed, demonstrating that the read-only restriction has been bypassed. This vulnerability has been confirmed with an admin account, which, while not a privilege escalation, highlights a failure in the token's scope enforcement.

Remediation

Users can upgrade to Red Hat Ansible Automation Platform 2.6 for RHEL 9 or 2.5 for RHEL 8 or 9, where this vulnerability has been addressed.