Bug 2392835 (CVE-2025-9908)

Summary: CVE-2025-9908 event-driven-ansible: Sensitive Internal Headers Disclosure in AAP EDA Event Streams
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dschmidt, erezende, haoli, hkataria, jajackso, jcammara, jlanda, jmitchel, jneedle, kegrant, koliveir, kshier, mabashia, mattdavi, pbraun, security-response-team, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-10-01   

Description OSIDB Bzimport 2025-09-03 07:53:12 UTC 
A user can gain access to sensitive infrastructure headers and event stream url which has been characterized as sensitive (to avoid DDoS type attacks).

If there is an event stream set up by an administrator, and a credential to the controller to allow job template action (they could create that or have it shared with them), they can gain knowledge of other sensitive internal headers, including, but not limited to, X-Trusted-Proxy.
Comment 1 errata-xmlrpc 2025-10-28 19:09:57 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:19201 https://access.redhat.com/errata/RHSA-2025:19201
Comment 2 errata-xmlrpc 2025-12-10 17:40:17 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23069