A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft.
Metrics
Affected Vendors & Products
References
History
Tue, 01 Jul 2025 02:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside |
|
CPEs | cpe:/a:redhat:ansible_automation_platform:2.5::el8 cpe:/a:redhat:ansible_automation_platform:2.5::el9 cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8 cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9 |
|
Vendors & Products |
Redhat ansible Automation Platform Developer
Redhat ansible Automation Platform Inside |
|
References |
|
Tue, 01 Jul 2025 00:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
| |
Metrics |
threat_severity
|
threat_severity
|
Mon, 30 Jun 2025 21:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | |
Title | Event-driven-ansible: template injection via git branch and refspec in eda projects | |
First Time appeared |
Redhat
Redhat ansible Automation Platform |
|
Weaknesses | CWE-94 | |
CPEs | cpe:/a:redhat:ansible_automation_platform:2 | |
Vendors & Products |
Redhat
Redhat ansible Automation Platform |
|
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2025-07-01T01:53:44.338Z
Reserved: 2025-06-06T14:33:40.850Z
Link: CVE-2025-49521

No data.

Status : Received
Published: 2025-06-30T21:15:31.063
Modified: 2025-07-01T02:15:22.310
Link: CVE-2025-49521
