SB2024092068 - Multiple vulnerabilities in Ansible Automation Platform 2.4 packages

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Insecure inherited permissions (CVE-ID: CVE-2024-7143)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the way permissions are assigned on new tasks with RBAC enabled. A remote user can use a specially crafted task that creates new objects. Such objects will be owned by the oldest user with model/domain-level task permissions within the application and executed with privileges of such a user.

2) Information disclosure (CVE-ID: CVE-2024-37891)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to Prox-Authorization header is not stripped during cross-origin redirects when using urllib3's proxy support with ProxyManager. A remote attacker can gain obtain proxy credentials used by the library.

3) Input validation error (CVE-ID: CVE-2024-24790)

The vulnerability allows a remote attacker to modify application behavior.

The vulnerability exists due to improper handling of IPv4-mapped IPv6 addresses in net/netip within multiple methods, e.g. IsPrivate, IsLoopback. The affected methods return false for addresses which would return true in their traditional IPv4 forms, leading to potential bypass of implemented security features.

4) Infinite loop (CVE-ID: CVE-2024-24788)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing DNS responses. A remote attacker can send a specially crafted DNS response to the application and cause denial of service conditions.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2024:6765