Bug 2293576 (CVE-2024-6234) - CVE-2024-6234 ansible-automation-platform: EDA server exposes websocket jwt when running rulebook activations in debug mode
Summary: CVE-2024-6234 ansible-automation-platform: EDA server exposes websocket jwt w...
Keywords:
Status: NEW
Alias: CVE-2024-6234
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2293577
TreeView+ depends on / blocked
 
Reported: 2024-06-21 02:03 UTC by Robb Gatica
Modified: 2025-07-16 10:37 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-06-21 02:03:15 UTC 
Summary:
EDA server exposes websocket jwt when running rulebook activations in debug mode. The jwt is sensitive and should never be exposed.

Steps to Reproduce:
1. Make an Automation Decision

2. Make a Project.

3. Create a Rulebook Activiation from the project you created and set the log level to Debug

4. Activate it

Expected results:
For the Authorization to be redacted
2024-06-07 17:23:31,360 - websockets.client - DEBUG - > Authorization:
Bearer e ****

Actual results:
2024-06-07 17:23:31,360 - websockets.client - DEBUG - > Authorization:
Bearer [**redacted jwt**]

Additional Information:
- The bearer value is jwt and can be based64 decoded i.e. You can use the Bearer secret to connect to the websocket.

- Once connected you can issue commands that return playbook content and other secrets injected. In this case it's showing an EDA credential w/ Controller username and Token that I associated with the rulebook activation.

- It seems likely that the fix for a previous websocket vulnerability introduced this vulnerability
Note You need to log in before you can comment on or make changes to this bug.