Bug 2370812 (CVE-2025-49520) - CVE-2025-49520 event-driven-ansible: Authenticated Argument Injection in Git URL in EDA Project Creation
Summary: CVE-2025-49520 event-driven-ansible: Authenticated Argument Injection in Git ...
Keywords:
Status: NEW
Alias: CVE-2025-49520
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-06 15:11 UTC by OSIDB Bzimport
Modified: 2025-06-30 21:20 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:9986 0 None None None 2025-06-30 21:20:46 UTC

Description OSIDB Bzimport 2025-06-06 15:11:36 UTC 
Authenticated Argument Injection vulnerability in the Git handling logic of the Ansible Automation Platform’s Event-Driven Ansible (EDA) component. The flaw occurs during EDA project creation, where the user-supplied Git repository URL is passed unvalidated to the git ls-remote command. By injecting malicious Git options, an attacker can execute arbitrary commands on the EDA worker. In Kubernetes or OpenShift environments, this enables attackers to exfiltrate the service account token of the pod, potentially granting access to secrets, pods, and other sensitive resources. The issue requires authenticated access but can be exploited remotely, without user interaction, leading to full system compromise.
Comment 2 errata-xmlrpc 2025-06-30 21:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2025:9986 https://access.redhat.com/errata/RHSA-2025:9986
Note You need to log in before you can comment on or make changes to this bug.