Detections
Analytics

RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:18979)

high Nessus Plugin ID 271208

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:18979 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * python3.11-django: Potential partial directory-traversal via archive.extract() (CVE-2025-59682)
 * automation-gateway: tar-fs symlink validation bypass (CVE-2025-59343)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation Platform
 * Azure AD authentication now searches more fields to find the username override field specified. If not found it will log a warning message indicating which fields are valid (AAP-53789)
 * Support TLSv1.3 on server-to-server requests, where previously services which only supported TLSv1.3 would not work (AAP-49456)
 * Added a step in the subscription wizard that allows the user to configure automation analytics (AAP-55094)
 * Subscription credentials can no longer be viewed/edited from the system settings page (AAP-55014)
 * Fixed an issue where the settings displayed Red Hat inconsistently in the API and UI (AAP-54277)
 * Fixed a bug where platform auditors were not able to see Automation Execution and Platform level settings (AAP-53975)
 * Fixed an issue where some fields were missing the autocomplete = new-password setting (AAP-53934)
 * Fixed an issue where AAP could not set/create a playbook when using branch override (AAP-52566)
 * Empty strings are no longer displayed in the extra variables field on the Jobs > Details page (AAP-49448)
 * Added two new toggle options on the subscription wizard to allow for fetching subscriptions using basic authentication (AAP-47865)
 * Fixed validation of prompt-on-launch credentials in a workflow job template (AAP-40540)
 * Fixed an issue for comments in extra vars sections, all comments in YAML are now persisted on create and edit operations for a resource (AAP-37071)
 * Updated error handling in the Authenticator form to match other forms in the Platform UI (AAP-22928)
 * automation-gateway has been updated to 2.5.20251022
 * automation-gateway-proxy has been updated to 2.5.10-3 for RHEL8
 * automation-gateway-proxy has been updated to 2.6.6-4 for RHEL9
 * python3.11-django-ansible-base has been updated to 2.5.20251022

 Automation controller
 * Fixed an issue where the ansible.platform collection did not work with the default Red Hat Ansible Automation Platform credential type (AAP-55685)
 * Fixed an issue in callback receiver and dispatcher crash loop state caused by re-running the installer with modified inventory hostname (AAP-55638)
 * Added support for Red Hat username and password for the subscription management API (AAP-54976)
 * Fixes system_administrator role creation race condition which most commonly happened on new openshift deployments resulting in the default instance group not being created (AAP-54964)
 * Fixed an issue where Grafana notifications couldn't have an empty dashboard ID or panel ID (AAP-54654)
 * Improved stability on long-running jobs, clusters under heavy load and network flakiness in receptor (AAP-53742)
 * Fixed Platform Auditor to view controller settings (AAP-53345)
 * Added missing instruction to set an environment variable in the CLI in order to achieve compatibility with the current release (AAP-37812)
 * Fixed Platform Auditor to view Metrics API endpoint (AAP-36492)
 * automation-controller has been updated to 4.6.21
 * receptor has been updated to 1.6.0

 Automation hub
 * Fixed an issue where _ui/v2/ user detail displayed the data correctly (AAP-55957)
 * automation-hub has been updated to 4.10.9
 * python3.11-galaxy-ng has been updated to 4.10.9
 * python3.11-galaxy-importer has been updated to 0.4.34

 Container-based Ansible Automation Platform
 * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to subscription.rhsm.redhat.com (AAP-55181)
 * Implemented preflight ansible-core version validation (AAP-54931)
 * Fixed a bug where Ansible would fail to gather the system's UUID for Linux on Power (AAP-54540)
 * containerized installer setup has been updated to 2.5-20

 RPM-based Ansible Automation Platform
 * Fixed an issue where setting automationgateway_disable_https=false resulted in install failure (AAP-55475)
 * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to subscription.rhsm.redhat.com (AAP-55184)
 * Fixed issue where RESOURCE_KEY SECRET_KEY was not updated when restoring from a different environment (AAP-54944)
 * Fixed issue where EDA DE credentials failed to populate on initial install (AAP-54520)
 * Fixed an issue where automation gateway's envoy.log did not receive logs after it was rotated (AAP-54079)
 * ansible-automation-platform-installer and installer setup have been updated to 2.5-19

 Additional changes
 * python3.11-django has been updated to 4.2.25

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=2397901

https://bugzilla.redhat.com/show_bug.cgi?id=2400450

https://issues.redhat.com/browse/AAP-56352

http://www.nessus.org/u?5479ecbe

https://access.redhat.com/errata/RHSA-2025:18979

Plugin Details

Severity: High

ID: 271208

File Name: redhat-RHSA-2025-18979.nasl

Version: 1.1

Type: local

Agent: unix

Published: 10/22/2025

Updated: 10/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-59682

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-59343

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:python3.11-django, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:automation-gateway-server, p-cpe:/a:redhat:enterprise_linux:automation-gateway, p-cpe:/a:redhat:enterprise_linux:automation-gateway-config

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 10/22/2025

Vulnerability Publication Date: 9/24/2025

Reference Information

CVE: CVE-2025-59343, CVE-2025-59682

CWE: 22, 61

RHSA: 2025:18979