CVE-2025-49521

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:9986
https://access.redhat.com/security/cve/CVE-2025-49521
https://bugzilla.redhat.com/show_bug.cgi?id=2370817

Configurations

No configuration.

History

03 Jul 2025, 15:14

Type	Values Removed	Values Added
Summary		(es) Se detectó una falla en el componente EDA de Ansible Automation Platform, donde los valores de rama o refspec de Git proporcionados por el usuario se evalúan como plantillas Jinja2. Esta vulnerabilidad permite a los usuarios autenticados inyectar expresiones que ejecutan comandos o acceden a archivos confidenciales en el trabajador EDA. En OpenShift, puede provocar el robo de tokens de cuentas de servicio.

01 Jul 2025, 02:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:9986 -

30 Jun 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 21:15

Updated : 2025-07-03 15:14

NVD link : CVE-2025-49521

Mitre link : CVE-2025-49521

CVE.ORG link : CVE-2025-49521

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

8.8 /10