Red Hat Ansible Automation Platform Event-Driven Ansible Sensitive Headers Exposure Vulnerability

A vulnerability exists in the Red Hat Ansible Automation Platform's Event-Driven Ansible (EDA) Event Stream API. When an event stream is in test mode, the API endpoint exposes sensitive client credentials and internal infrastructure headers through the test_headers field. This flaw can lead to the unintentional disclosure of user or system credentials, leakage of internal infrastructure details, and, if high-value tokens are exposed, privilege escalation. Additionally, the exposed sensitive data remains accessible to all users with read access on the event stream until it is explicitly overwritten or deleted.

Impact

Exploitation of this vulnerability can result in the exposure of sensitive client credentials, including Authorization tokens, and internal infrastructure headers, such as X-Trusted-Proxy. This leakage can lead to unauthorized access and privilege escalation, particularly if high-value tokens are involved.

Reproduction

To reproduce this vulnerability, send a request to the Event Stream API endpoint while the event stream is in test mode. Ensure that the request includes headers that you want to test, such as Authorization. The API will respond by echoing back all headers, including sensitive information, in the test_headers field. This vulnerability can also be reproduced by accidentally posting to an internal API gateway path, which will trigger the exposure of additional internal headers.

Remediation

Users can upgrade to Red Hat Ansible Automation Platform 2.6 for RHEL 9 or 2.5 for RHEL 9 or 8, all of which include the necessary fix. Instructions for applying this update are available in the Red Hat Ansible Automation Platform documentation.