Detections
Analytics

RHEL 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Important) (RHSA-2025:23070)

critical Nessus Plugin ID 278140

Language:

Synopsis

The remote Red Hat host is missing a security update.

Description

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:23070 advisory.

 Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

 Security Fix(es):

 * automation-controller: Django SQL injection (CVE-2025-64459)
 * python3.11-django: Django SQL injection (CVE-2025-64459)

 For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

 Updates and fixes included:

 Automation Platform
 * IPv6 and IPv4/IPv6 dual stack support is now enabled by default (AAP-58923)
 * Fixed a server error that could happen assigning permissions via the /api/eda/ or /api/controller/ endpoints (AAP-58622)
 * automation-gateway has been updated to 2.6.20251210
 * python3.11-django-ansible-base has been updated to 2.6.20251210

 Automation Platform UI
 * Fixed an issue where the job template did not remain editable after the associated project was deleted (AAP-58467)
 * Fixed a bug where project status update link on the job details page was broken (AAP-57215)
 * Fixed an issue where the brand logo was missing in the About page when accessing it from the Overview page (AAP-57133)
 * Fixed an issue where the Resource Type filter in the Roles page did not correctly filter by resource types (AAP-56691)
 * Fixed an issue where the Launched by field appeared blank in the UI when the project update is triggered automatically (AAP-56643)
 * Updated playbook select dropdown to automatically select a playbook if there is only one in the project (AAP-56279)
 * Fixed an issue where the source control Branch option was missing from the Inventory source (AAP-56149)
 * Authenticator label was updated from 'Azuread' to 'Azure AD' (AAP-55677)
 * Fixed a bug where the edit form for a survey would not display in the UI if the survey was created without a default value using the ansible.controller collection (AAP-51548)
 * Improved labels and descriptions for Authenticator Mappings details (AAP-51295)
 * Fixed descriptions for Remotes and Remote Registries (AAP-49838)
 * Added Source control branch to Project Sync Job Details (AAP-49450)
 * Fixed an issue where the collection hyperlink was broken in card view in private automation hub (AAP-49006)
 * Fixed an issue where the Search function failed to narrow results when adding host to group (AAP-47510)
 * Improved custom login text for legibility and to allow for HTML markup such as links (AAP-47462)
 * Fixed an issue where the filtering by host name did not work as expected in the Add Existing Host dialog (AAP-45534)
 * Fixed url to workflow job template output from notifications (AAP-43796)
 * Search filter now works from any page within the Hosts list (AAP-42679)
 * Fixed an issue where creating a new template from Project or Inventory did not auto-populate the Project field (AAP-41725)
 * Fixed an issue where the Permission Denied message on the templates tab, when the user has permission, was misleading (AAP-40800)
 * Fixed an issue where the repository URL in the Details page was incorrect (AAP-40160)
 * Fixed a survey validation issue where the minimum length value of a question could be set to greater than the maximum length value (AAP-39932)
 * Fixed a survey validation issue with text being treated as a number when evaluating its length (AAP-39931)
 * Fixed an issue where the user was unable to create a schedule for Constructed inventory synchronization (AAP-38660)
 * Fixed an issue with survey answers not being saved when editing or creating a schedule (AAP-37923)
 * Fixed a bug where instance groups on a schedule could not be edited (AAP-37872)
 * Introduced an Options section for the checkboxes Signed collections only and Sync all dependencies for Automation hub (AAP-36592)
 * Added an info message about syncing dependencies outside the repository for Automation hub (AAP-36592)
 * Fixed an issue where there was an inconsistency in the task timestamps between the Overview and Detail Views (AAP-36588)
 * Fixed an issue where the verify_ssl checkbox was not checked by default in the Create Credential form (AAP-33889)
 * Updated formatting of large numbers in the extra vars field (AAP-31805)
 * automation-platform-ui has been updated to 2.6.4

 Automation controller
 * Added x-ai-description to controller schema to provide AI-friendly description for each endpoint (AAP-59819)
 * Fixed Redis broken pipe error in long-running jobs (AAP-59728)
 * Fixed GitHub App Installation Access Token Lookup to accept Iv2 Client IDs (AAP-58880)
 * Updated controller to now use the force flag when syncing a project which has 'Allow branch override' enabled (AAP-58533)
 * Bumped receptor collection to version 2.0.8, which is compatible with RHEL 10 (AAP-58421)
 * Updated various aspects of the OpenAPI Specification in support of MCP MVP (AAP-53640)
 * automation-controller has been updated to 4.7.6

 Automation hub
 * Autocomplete attribute was added to the Automation Hub API password field (AAP-59910)
 * Automation hub upgrades proceed when API access logging enabled (AAP-59886)
 * Fixed authentication failure for users with Team Admin role (AAP-58898)
 * automation-hub has been updated to 4.11.4
 * python3.11-galaxy-importer has been updated to 0.4.36
 * python3.11-galaxy-ng has been updated to 4.11.4

 Event-Driven Ansible
 * Added x-ai-description to EDA endpoints for AAP MCP Server consumption (AAP-58431)
 * automation-eda-controller has been updated to 1.2.3

 Container-based Ansible Automation Platform
 * Fixed an issue where after uninstall/re-install of receptor jobs were unable to start due to stale exited containers with the same name were still present (AAP-59609)
 * Configure podman PID limits, sysctls for inotify and kernel keys, and ulimit nofile for user running AAP service containers based on system resources (AAP-59438)
 * containerized installer setup has been updated to 2.6-4

 Additional changes
 * Ansible development tools is now available for RHEL 10
 * ansible-builder has been updated to 3.1.1
 * ansible-creator has been updated to 25.12.0
 * ansible-dev-environment has been updated to 25.12.2
 * ansible-dev-tools has been updated to 25.12.0
 * ansible-lint has been updated to 25.12.0
 * ansible-navigator has been updated to 25.12.0
 * ansible-sign has been updated to 0.1.4
 * bindep has been updated to 2.13.0
 * molecule has been updated to 25.12.0
 * python3.11-ansible-compat has been updated to 25.12.0
 * python3.11-distlib has been updated to 0.4.0
 * python3.11-django has been updated to 4.2.26
 * python3.11-execnet has been updated to 2.1.2
 * python3.11-gunicorn has been updated to 23.0.0
 * python3.11-pluggy has been updated to 1.6.0
 * python3.11-pytest has been updated to 9.0.1
 * python3.11-pytest-ansible has been updated to 25.12.0
 * python3.11-pytest-xdist has been updated to 3.8.0
 * python3.11-ruamel-yaml-clib has been updated to 0.2.15
 * python3.11-subprocess-tee has been updated to 0.4.2
 * python3.11-tox-ansible has been updated to 25.12.0
 * python3.11-typing-extensions has been updated to 4.15.0

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected automation-controller-venv-tower and / or python3.11-django packages.

See Also

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=2412651

http://www.nessus.org/u?49c58108

https://access.redhat.com/errata/RHSA-2025:23070

Plugin Details

Severity: Critical

ID: 278140

File Name: redhat-RHSA-2025-23070.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/10/2025

Updated: 12/10/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.7

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2025-64459

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:automation-controller-venv-tower, p-cpe:/a:redhat:enterprise_linux:python3.11-django, cpe:/o:redhat:enterprise_linux:9

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2025

Vulnerability Publication Date: 11/5/2025

Reference Information

CVE: CVE-2025-64459

CWE: 89

RHSA: 2025:23070