Ansible Automation Platform EDA Component Jinja2 Template Injection Vulnerability

A template injection vulnerability has been identified in the EDA component of the Ansible Automation Platform. This issue arises because user-supplied Git branch or refspec values are processed as Jinja2 templates without proper sanitization. Authenticated users can exploit this flaw to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift environments, this vulnerability could lead to the theft of service account tokens.

Impact

Exploitation of this vulnerability allows for arbitrary command execution and unauthorized access to sensitive files on the EDA worker. In OpenShift, it can result in the theft of service account tokens, which could be used to escalate privileges within the cluster.

Reproduction

To reproduce this vulnerability, create a new EDA project in the Ansible Automation Platform and supply a Git branch or refspec value that includes a Jinja2 expression. During the project synchronization process, the injected expression will be executed, potentially disclosing sensitive files or executing arbitrary commands on the EDA worker.