Red Hat Ansible Automation Platform 2 Log Injection Vulnerability in AAP MCP Server

A log injection vulnerability has been identified in the AAP MCP server component of Red Hat Ansible Automation Platform 2. This vulnerability allows unauthenticated remote attackers to exploit unsanitized input in the 'toolsetroute' parameter, injecting control characters such as newlines and ANSI escape sequences. The lack of proper input sanitization before logging enables attackers to obscure genuine log entries and insert fake ones. Such forged log entries could be used in social engineering attacks, potentially leading operators to execute harmful commands or visit malicious URLs.

Impact

Exploitation of this vulnerability could misdirect or hinder the interpretation of log files, allowing an attacker to insert false log entries that could cover up malicious activities or implicate others in wrongdoing. The injected log data could also be used to manipulate automated log processing tools, rendering them ineffective or causing them to misinterpret the log content.

Reproduction

The vulnerability can be reproduced by sending a request to any of the six toolset-specific endpoints (POST, GET, DELETE, and OPTIONS) with a payload that includes control characters such as newlines, tabs, and ANSI escape sequences in the 'toolsetroute' parameter. The injected characters will not be sanitized before being logged, allowing the attacker to create forged log entries that can obscure legitimate ones.