Vipul Nair

**Name of the Vulnerable Software and Affected Versions** Ansible Automation Platform (affected versions not specified) **Description** A flaw in the Ansible automation platform was found, related to an insecure WebSocket connection used during installation from the Ansible rulebook EDA server. This issue could allow an attacker with access to any machine in the CIDR block to download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system. The vulnerability is also related to the lack of origin checking in WebSockets due to incorrect channel restriction, which could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quarkus versions prior to 3.6.9 Quarkus versions prior to 3.7.1 Quarkus versions prior to 3.8.x **Description** A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either `quarkus.security.jaxrs.deny-unannotated-endpoints` or `quarkus.security.jaxrs.default-roles-allowed` properties. **Recommendations** For Quarkus versions prior to 3.6.9, update to version 3.6.9 or later. For Quarkus versions prior to 3.7.1, update to version 3.7.1 or later. For Quarkus versions prior to 3.8.x, update to the 3.8.x LTS branch. As a temporary workaround, consider disabling the `quarkus.security.jaxrs.deny-unannotated-endpoints` and `quarkus.security.jaxrs.default-roles-allowed` properties until a patch is available. Restrict access to Quarkus RestEasy Classic or Reactive JAX-RS endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ansible (affected versions not specified) **Description** A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. The flaw is related to incorrect management of code generation when processing templates, which may allow an attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Controller (affected versions not specified) **Description** An HTML injection flaw was found in the user interface settings of the Controller. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible Automation platform (affected versions not specified) **Description** A logic flaw exists in the Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible Automation Platform (affected versions not specified) **Description** The issue is related to a flaw in the ec2 key module of the Ansible Automation Platform, which is connected to shortcomings in the authorization procedure. This flaw allows an attacker to obtain access to confidential data, compromise their integrity, and cause a denial of service. Specifically, when creating a new keypair, the ec2 key module prints out the private key directly to the standard output, enabling an attacker to fetch those keys from the log files and compromise the system's confidentiality, integrity, and availability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Satellite (affected versions not specified) **Description** An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Ansible Automation Platform versions 1.2 through 2.0 **Description** The issue concerns cross-site scripting in the automation controller UI. Specifically, the project name is susceptible to XSS injection, which could lead to security issues. **Recommendations** For Red Hat Ansible Automation Platform versions 1.2 through 2.0, consider sanitizing user input for project names to prevent XSS injection until a patch is available. As a temporary workaround, restrict the ability to create or edit project names to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ansible-tower (affected versions not specified) **Description** A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ansible-runner (affected versions not specified) **Description** A flaw was found in ansible-runner, where an improper escaping of the shell command, while calling the `ansible runner.interface.run command`, can lead to parameters getting executed as the host's shell command. This could allow a developer to unintentionally write code that gets executed in the host rather than the virtual environment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible Automation Platform (affected versions not specified) **Description** A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with `change user` permissions to modify the account settings of the superuser account and also remove the superuser privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.