Bug 2355540 (CVE-2025-2877) - CVE-2025-2877 event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in EDA
Summary: CVE-2025-2877 event-driven-ansible: exposure inventory passwords in plain tex...
Keywords:
Status: NEW
Alias: CVE-2025-2877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-03-27 17:07 UTC by OSIDB Bzimport
Modified: 2025-05-15 08:29 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:3636 0 None None None 2025-04-07 15:13:57 UTC
Red Hat Product Errata RHSA-2025:3637 0 None None None 2025-04-07 15:14:53 UTC

Description OSIDB Bzimport 2025-03-27 17:07:15 UTC 
Inventory passwords are exposed in plain text when starting a rulebook activation with verbosity set to debug. This issue is reproducible for any "debug" action in a rulebook and also affects Event Streams, exposing postgres passwords.
Comment 1 errata-xmlrpc 2025-04-07 15:13:55 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:3636 https://access.redhat.com/errata/RHSA-2025:3636
Comment 2 errata-xmlrpc 2025-04-07 15:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:3637 https://access.redhat.com/errata/RHSA-2025:3637
Note You need to log in before you can comment on or make changes to this bug.