Ansible Automation Platform EDA Component Git Argument Injection Vulnerability

Vulnerability

A vulnerability exists in the Event-Driven Ansible (EDA) component of Ansible Automation Platform, where user-provided Git URLs are sent unvalidated to the 'git ls-remote' command. This flaw allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes or OpenShift environments, this could result in the theft of service account tokens and unauthorized access to the cluster.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the EDA worker, with potential access to sensitive Kubernetes or OpenShift resources, including service account tokens and associated secrets.

Added: Jun 30, 2025, 9:20 PM

Updated: Jun 30, 2025, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

10.0

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

10.0

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ansible Automation Platform EDA Component Git Argument Injection Vulnerability

Vulnerability

Impact

Affected Products

Red Hat Ansible Automation Platform

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating