Detections
Analytics

RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:16487)

high Nessus Plugin ID 265776

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:16487 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * automation-controller: Django SQL injection in FilteredRelation column aliases (CVE-2025-57833)
 * automation-controller: Django Path Injection Vulnerability (CVE-2025-48432)
 * python3.11-django: Django SQL injection in FilteredRelation column aliases (CVE-2025-57833)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation Platform
 * Increased gateway control plane authorization performance to reduce or eliminate sporadic request errors (503, 504, 403) (AAP-53468)
 * Fixed a bug where the gateway does not generate the necessary metadata for the UI to render Settings > Platform Gateway when the accessing user is an auditor rather than an admin (AAP-53279)
 * If the GRPC server can not connect to the database it will now return a 503 to envoy instead of a 403 (AAP-51931)
 * Altered the help text for the setting ALLOW_OAUTH2_FOR_EXTERNAL_USERS (AAP-51886)
 * Fixed improperly formatted error message in SAML authenticator when passing invalid security settings.
 The error will now properly show the invalid fields and will also indicate what valid field values are (AAP-51705)
 * Improved debug logging of authenticator map processing, reasoning and results for clarity (AAP-51639)
 * Fixed an issue with authenticator maps not properly evaluating attribute 'in' conditions (AAP-51638)
 * When logging in with SAML authentication, user's groups will be correctly read from configured attribute instead of expecting groups to always be in Group attribute (AAP-51503)
 * Added scrolling to multiselect dialogs to make pagination visible for users (AAP-52209)
 * Fixed an issue that did not allow a user to save Schedule for Workflow job template when Limit has Prompt on Launch was enabled (AAP-49794)
 * automation-gateway has been updated to 2.5.20250924
 * python3.11-django-ansible-base has been updated to 2.5.20250924

 Automation controller
 * Galaxy credentials can now be created and edited without the need to specify an organization (AAP-52197)
 * Fixed a path injection vulnerability in Django so that internal HTTP response logging escapes request.path and remote attackers can't manipulate log output via crafted URLs (AAP-51443)
 * The export command works through the controller collection or with awxkit along when the correct environment variable is provided (AAP-49452)
 * Fixed double escaped quotes in api/v2/jobs/{id}/stdout/?format=txt (AAP-49077)
 * The export module in the collection now honors the CONTROLLER_OPTIONAL_API_URLPATTERN_PREFIX environment variable, fixing a bug where exports did not work on deployments using the platform gateway (AAP-39265)
 * automation-controller has been updated to 4.6.20

 Automation hub
 * Added the GALAXY_API_SPEC_REQUIRE_AUTHENTICATION setting (defaults to false), which restricts access to the OpenAPI specification to authenticated users only (AAP-53578)
 * automation-hub has been updated to 4.10.8
 * python3.11-galaxy-ng has been updated to 4.10.8

 Container-based Ansible Automation Platform
 * Disable IPv6 binding on PostgreSQL and Redis services when IPv6 is disabled on the host (AAP-53546)
 * Fixed the restore and implemented a migration for the controller resource secret key value (AAP-53535)
 * Uploading ansible collections to Private Automation Hub isn't limited by the API pagination anymore (AAP-53526)
 * Execute the create_initial_data EDA command during restore (AAP-53382)
 * Fix an issue with the Private Automation Hub task name using quotes (AAP-53307)
 * Fixed a path issue for custom_ca_cert when checking postgres connection and version during preflight (AAP-53213)
 * Fix PostgreSQL configuration directory creation when TLS is disabled (AAP-52569)
 * X-Forwarded-For and Real-Ip headers are now added to the Nginx logs (AAP-52562)
 * containerized installer setup has been updated to 2.5-19

 RPM-based Ansible Automation Platform
 * Fixed an issue where redis_mode=standalone and the Redis group were defined at the same time (AAP-53560)
 * Fixed an issue with EDA restores where database credentials were not updated for event stream (AAP-53529)
 * Fixed an issue where redis node list could not be created on EDA/gateway nodes which were not part of the redis group (AAP-53528)
 * Fixed an issue where backup was failing when the deployment had more than 1 EDA node without eda_node_type defined (AAP-52892)
 * Removed pulpcore-manager sudo requirement (AAP-52288)
 * Fixed a typo in the task, cleaning up instances from the controller (AAP-52078)
 * The gateway uwsgi process count is now configurable (AAP-50390)
 * Wait for Hub workers to get online (AAP-46261)
 * ansible-automation-platform-installer and installer setup have been updated to 2.5-18

 Additional changes
 * aap-metrics-utility has been updated to 0.6.0
 * ansible-creator has been updated to 25.8.0
 * ansible-dev-environment has been updated to 25.8.0
 * ansible-dev-tools has been updated to 25.8.3
 * ansible-lint has been updated to 25.8.2
 * ansible-navigator has been updated to 25.8.0
 * ansible-sign has been updated to 0.1.2
 * automation-gateway-proxy has been updated to 2.6.6-3 for RHEL9
 * molecule has been updated to 25.7.0
 * python3.11-ansible-compat has been updated to 25.8.1
 * python3.11-django has been updated to 4.2.24
 * python3.11-galaxy-importer has been updated to 0.4.33
 * python3.11-pytest-ansible has been updated to 25.8.0
 * python3.11-pytest-plus has been updated to 0.8.1
 * python3.11-pytest-sugar has been updated to 1.1.1
 * python3.11-ruamel-yaml has been updated to 0.18.15
 * python3.11-termcolor has been updated to 3.1.0
 * python3.11-tox-ansible has been updated to 25.8.0

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected automation-controller-venv-tower and / or python3.11-django packages.

See Also

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=2370365

https://bugzilla.redhat.com/show_bug.cgi?id=2392990

http://www.nessus.org/u?edc06609

https://access.redhat.com/errata/RHSA-2025:16487

Plugin Details

Severity: High

ID: 265776

File Name: redhat-RHSA-2025-16487.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/24/2025

Updated: 9/24/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.8

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-57833

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3.11-django, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 9/23/2025

Vulnerability Publication Date: 6/5/2025

Reference Information

CVE: CVE-2025-48432, CVE-2025-57833

CWE: 117, 89

RHSA: 2025:16487