{ "threat_severity" : "Moderate", "public_date" : "2025-09-17T23:59:00Z", "bugzilla" : { "description" : "event-driven-ansible: Sensitive Internal Headers Disclosure in AAP EDA Event Streams", "id" : "2392835", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2392835" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.", "A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection." ], "statement" : "This issue is classified as Moderate because the exposure of sensitive internal headers, including X-Trusted-Proxy and X-Envoy-* values, can lead to privilege escalation, request spoofing, and unauthorized access to internal infrastructure details. Exploitation requires low-complexity conditions and local access—any user with an EDA credential or shared access to a job template and event stream can capture these headers once an event is sent. The persistence of captured headers further increases risk, as sensitive values remain accessible to the attacker until explicitly cleared.", "acknowledgement" : "This issue was discovered by Elijah DeLee (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-builder-0:3.1.1-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-creator-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-dev-environment-0:25.12.2-1.1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-dev-tools-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-lint-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-navigator-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-sign-0:0.1.4-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "automation-eda-controller-0:1.1.14-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "automation-hub-0:4.10.10-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "bindep-0:2.13.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "molecule-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-ansible-compat-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-distlib-0:0.4.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-django-0:4.2.26-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-execnet-0:2.1.2-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-galaxy-importer-0:0.4.36-2.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-galaxy-ng-0:4.10.10-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-gunicorn-0:23.0.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-pluggy-0:1.6.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-pytest-0:9.0.1-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-pytest-ansible-0:25.12.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-pytest-xdist-0:3.8.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-ruamel-yaml-clib-0:0.2.15-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-subprocess-tee-0:0.4.2-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-tox-ansible-0:25.12.0-1.2.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "python3.11-typing-extensions-0:4.15.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-builder-0:3.1.1-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-creator-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-dev-environment-0:25.12.2-1.1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-dev-tools-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-lint-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-navigator-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-sign-0:0.1.4-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "automation-eda-controller-0:1.1.14-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "automation-hub-0:4.10.10-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "bindep-0:2.13.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "molecule-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-ansible-compat-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-distlib-0:0.4.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-django-0:4.2.26-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-execnet-0:2.1.2-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-galaxy-importer-0:0.4.36-2.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-galaxy-ng-0:4.10.10-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-gunicorn-0:23.0.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-pluggy-0:1.6.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-pytest-0:9.0.1-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-pytest-ansible-0:25.12.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-pytest-xdist-0:3.8.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-ruamel-yaml-clib-0:0.2.15-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-subprocess-tee-0:0.4.2-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-tox-ansible-0:25.12.0-1.2.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-12-10T00:00:00Z", "advisory" : "RHSA-2025:23069", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "python3.11-typing-extensions-0:4.15.0-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "release_date" : "2025-10-28T00:00:00Z", "advisory" : "RHSA-2025:19201", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "automation-eda-controller-0:1.2.1-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5", "release_date" : "2025-12-11T00:00:00Z", "advisory" : "RHSA-2025:23131", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-automation-platform-25/eda-controller-rhel8:sha256:07673470fb62db8bec12ec20b2500228c0c6d5108916dd936d91e10610b783d1" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2025-10-28T00:00:00Z", "advisory" : "RHSA-2025:19221", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/eda-controller-rhel9:sha256:142125ce7f176ce4d9755f3124714bbfd8e10a687378988761d5451bd135ca76" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-9908\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9908" ], "name" : "CVE-2025-9908", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }