Synopsis
The remote Red Hat host is missing one or more security updates.
Description
The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:14686 advisory.
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Security Fix(es):
* automation-controller: Path Traversal Vulnerability in setuptools PackageIndex (CVE-2025-47273)
* python3.11-django: Django Path Injection Vulnerability (CVE-2025-48432)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Updates and fixes included:
Automation platform
* Enhanced Support for Streaming Chat Responses (AAP-51756)
* Improved LDAP filter parsing/handling (AAP-51591)
* Updated AAP to allow for HTTP headers to be passed through envoy when HTTPS is offloaded by another device in front of envoy (AAP-51347)
* Updated the OpenAPI spec to now reflect all available query parameters (AAP-49824)
* Added a new field on AzureAD authenticator called 'Field to use as username' which allows use of an arbitrary field from the assertion as the username (AAP-49481)
* Fixed migration scenarios that left legacy users in a partly migrated state to now migrate properly to gateway (AAP-43251)
* Removed the required label from the Organization field for Galaxy credentials in the controller Credential Create and Edit forms (AAP-51587)
* Fixed the 'LOGIN_REDIRECT_OVERRIDE' to be respected (AAP-49726)
* Fixed a breadcrumb in a launch template to no longer send users to the wrong URL (AAP-44194)
* Fixed the subscription entitlement window to no longer display again after AAP has been entitled when running in a load-balanced environment with multiple controller web pods (AAP-43883)
* Updated the AAP User Interface to allow all users to see the Notifiers tab (AAP-41342)
* Added the limit field on the job details page (AAP-36118)
* automation-gateway has been updated to 2.5.20250827
* python3.11-django-ansible-base has been updated to 2.5.20250827
Automation controller
* Galaxy credentials can now be created and edited without the need to specify an organization (AAP-51614)
* Fixed the subscription functionality to no longer attach before subscription credentials have been set, and to return a '400 Bad Request' error instead (AAP-50322)
* automation-controller has been updated to 4.6.19
Event-Driven Ansible
* Fixed project import state to no longer be stuck at pending or running (AAP-51643)
* Fixed EDA to allow '%20' in the project git URL (AAP-51642)
* Fixed 'MQ_TLS' to accept a boolean value (AAP-51012)
* Fixed missing RPM dependency for PostgreSQL client which resulted in container images missing psql binaries (AAP-50941)
* Fixed a bug to no longer prevent a user who belonged to a team with an EDA organization Project Admin role to be able see the organization (AAP-50921)
* automation-eda-controller has been updated to 1.1.13
Container-based Ansible Automation Platform
* Implemented PostgreSQL extra settings parameter on the installer (AAP-51533)
* Fixed the Redis hostname to no longer fail to be set in a disconnected environment (AAP-51532)
* Updated preflight checks to temporarily check PostgreSQL version to use a CA bundle from the VM server with the custom cert appended, if provided (AAP-50884)
* Fixed PCP data permissions by migrating the data to a podman volume instead of a bind mount (AAP-50807)
* Fixed a parameter to allow excluding subdirs during the Automation Hub backup process (AAP-50784)
* Added an exclusion parameter for Containerized Backup, allowing users to specify snapshot paths to be excluded from the backup process (AAP-46767)
* containerized installer setup has been updated to 2.5-18
RPM-based Ansible Automation Platform
* Added 'postgres_extra_settings' for postgresql.conf customization for managed database installations (AAP-51462)
* Fixed automation controller nodes so they are removed from the gateway registry when set to a deprovision state (AAP-51461)
* Fixed the installer to no longer fail when disabling HTTPS for gateway and/or gateway proxy (envoy) (AAP-48606)
* ansible-automation-platform-installer and installer setup have been updated to 2.5-17
Additional changes:
* automation-hub has been updated to 4.10.7
* python3.11-django has been updated to 4.2.23
* python3.11-galaxy-ng has been updated to 4.10.7
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.
Plugin Details
File Name: redhat-RHSA-2025-14686.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
Vendor
Vendor Severity: Moderate
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:automation-controller-ui, p-cpe:/a:redhat:enterprise_linux:python3.11-django, p-cpe:/a:redhat:enterprise_linux:automation-controller, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:automation-controller-server, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower, p-cpe:/a:redhat:enterprise_linux:automation-controller-cli
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: Exploits are available
Patch Publication Date: 8/26/2025
Vulnerability Publication Date: 5/17/2025