Bug 2392835 (CVE-2025-9908) - CVE-2025-9908 event-driven-ansible: Sensitive Internal Headers Disclosure in AAP EDA Event Streams
Summary: CVE-2025-9908 event-driven-ansible: Sensitive Internal Headers Disclosure in ...
Keywords:
Status: NEW
Alias: CVE-2025-9908
Deadline: 2025-10-01
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-03 07:53 UTC by OSIDB Bzimport
Modified: 2025-12-10 17:40 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:19201 0 None None None 2025-10-28 19:09:59 UTC
Red Hat Product Errata RHSA-2025:23069 0 None None None 2025-12-10 17:40:20 UTC

Description OSIDB Bzimport 2025-09-03 07:53:12 UTC 
A user can gain access to sensitive infrastructure headers and event stream url which has been characterized as sensitive (to avoid DDoS type attacks).

If there is an event stream set up by an administrator, and a credential to the controller to allow job template action (they could create that or have it shared with them), they can gain knowledge of other sensitive internal headers, including, but not limited to, X-Trusted-Proxy.
Comment 1 errata-xmlrpc 2025-10-28 19:09:57 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:19201 https://access.redhat.com/errata/RHSA-2025:19201
Comment 2 errata-xmlrpc 2025-12-10 17:40:17 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23069
Note You need to log in before you can comment on or make changes to this bug.