CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2877 – Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda
https://notcve.org/view.php?id=CVE-2025-2877
28 Mar 2025 — A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams. • https://access.redhat.com/security/cve/CVE-2025-2877 • CWE-1295: Debug Messages Revealing Unnecessary Information •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-1801 – Aap-gateway: aap-gateway privilege escalation
https://notcve.org/view.php?id=CVE-2025-1801
03 Mar 2025 — A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable. An update is now available for Red Hat Ansible Automation Platform 2.5. • https://access.redhat.com/errata/RHSA-2025:1954 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-11483 – Automation-gateway: aap-gateway: improper scope handling in oauth2 tokens for aap 2.5
https://notcve.org/view.php?id=CVE-2024-11483
25 Nov 2024 — A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the user’s assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services. • https://access.redhat.com/security/cve/CVE-2024-11483 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11079 – Ansible-core: unsafe tagging bypass via hostvars object in ansible-core
https://notcve.org/view.php?id=CVE-2024-11079
11 Nov 2024 — A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. An update is now available for Red Hat Ansible Automation Platform Execution Environments. Issues addressed include a bypass vulnerability. • https://access.redhat.com/security/cve/CVE-2024-11079 • CWE-20: Improper Input Validation •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-9902 – Ansible-core: ansible-core user may read/write unauthorized content
https://notcve.org/view.php?id=CVE-2024-9902
06 Nov 2024 — A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. An update for openstack-ansible-core is now avail... • https://access.redhat.com/security/cve/CVE-2024-9902 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2024-10033 – Aap-gateway: xss on aap-gateway
https://notcve.org/view.php?id=CVE-2024-10033
16 Oct 2024 — A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data. Se encontró una vulnerabilidad en aap-gateway. • https://access.redhat.com/security/cve/CVE-2024-10033 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-9979 – Pyo3: risk of use-after-free in `borrowed` reads from python weak references
https://notcve.org/view.php?id=CVE-2024-9979
15 Oct 2024 — A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references. • https://access.redhat.com/security/cve/CVE-2024-9979 • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9620 – Event-driven automation in ansible automation platform (aap): ansible event-driven automation (eda) lacks encryption
https://notcve.org/view.php?id=CVE-2024-9620
08 Oct 2024 — A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerability by sniffing the plaintext data transmitted between the EDA and AAP. An attacker with system access could exploit this vulnerability by reading the plaintext data stored in EDA and AAP databases. • https://access.redhat.com/security/cve/CVE-2024-9620 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 30EXPL: 0CVE-2024-9355 – Golang-fips: golang fips zeroed buffer
https://notcve.org/view.php?id=CVE-2024-9355
01 Oct 2024 — A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This... • https://access.redhat.com/security/cve/CVE-2024-9355 • CWE-457: Use of Uninitialized Variable •