Bug 2371644 (CVE-2025-5988) - CVE-2025-5988 aap-gateway: CSRF origin checking is disabled
Summary: CVE-2025-5988 aap-gateway: CSRF origin checking is disabled
Keywords:
Status: NEW
Alias: CVE-2025-5988
Deadline: 2025-08-31
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-11 02:10 UTC by OSIDB Bzimport
Modified: 2025-08-04 18:00 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:12772 0 None None None 2025-08-04 18:00:05 UTC

Description OSIDB Bzimport 2025-06-11 02:10:18 UTC 
CSRF origin checking is not done on requests from the gateway to external components (controller, hub, eda)

Requirements to exploit:

TLS edge termination prior to a request being passed into the gateway. Any requests that were made via HTTPS will have referer checking in place of origin checking.
The attacker must have a CSRF form token associated with the user's CSRF cookie. This would mean that they'd need to make a cross-origin request to the platform via JavaScript using the victim's cookies (This should be blocked by most modern browsers), or otherwise find some other means of deriving this token.
Comment 4 errata-xmlrpc 2025-08-04 18:00:03 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:12772 https://access.redhat.com/errata/RHSA-2025:12772
Note You need to log in before you can comment on or make changes to this bug.