cve-2025-1801
Vulnerability from cvelistv5
Published
2025-03-03 15:03
Modified
2025-03-03 15:16
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS score ?
0.03% (0.05644)
Summary
A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:1954
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2025-1801
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2349081
Impacted products
Vendor Product Version
Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 8 Unaffected: 0:2.5.20250305-1.el8ap   < *
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
 Create a notification for this product.
   Red Hat Red Hat Ansible Automation Platform 2.5 for RHEL 9 Unaffected: 0:2.5.20250305-1.el9ap   < *
    cpe:/a:redhat:ansible_automation_platform:2.5::el9
    cpe:/a:redhat:ansible_automation_platform:2.5::el8
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2025-1801",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-03-03T15:16:01.168075Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-03-03T15:16:20.194Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
               ],
               defaultStatus: "affected",
               packageName: "automation-gateway",
               product: "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
               vendor: "Red Hat",
               versions: [
                  {
                     lessThan: "*",
                     status: "unaffected",
                     version: "0:2.5.20250305-1.el8ap",
                     versionType: "rpm",
                  },
               ],
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
               ],
               defaultStatus: "affected",
               packageName: "automation-gateway",
               product: "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
               vendor: "Red Hat",
               versions: [
                  {
                     lessThan: "*",
                     status: "unaffected",
                     version: "0:2.5.20250305-1.el9ap",
                     versionType: "rpm",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "This issue was discovered by Chris Meyers (Red Hat) and Elijah DeLee (Red Hat).",
            },
         ],
         datePublic: "2025-03-01T00:00:00.000Z",
         descriptions: [
            {
               lang: "en",
               value: "A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     namespace: "https://access.redhat.com/security/updates/classification/",
                     value: "Important",
                  },
                  type: "Red Hat severity rating",
               },
            },
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               format: "CVSS",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-362",
                     description: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-03T15:03:15.439Z",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "RHSA-2025:1954",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2025:1954",
            },
            {
               tags: [
                  "vdb-entry",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/security/cve/CVE-2025-1801",
            },
            {
               name: "RHBZ#2349081",
               tags: [
                  "issue-tracking",
                  "x_refsource_REDHAT",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2349081",
            },
         ],
         timeline: [
            {
               lang: "en",
               time: "2025-02-28T20:34:52.617000+00:00",
               value: "Reported to Red Hat.",
            },
            {
               lang: "en",
               time: "2025-03-01T00:00:00+00:00",
               value: "Made public.",
            },
         ],
         title: "Aap-gateway: aap-gateway privilege escalation",
         workarounds: [
            {
               lang: "en",
               value: "Follow the mitigation steps to avoid the flaw from happening. It is recommended to update the product after the fix is available.\n\n\n1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1\n\nThis mitigates problems going FORWARD for the issue because there is only one thread using the ExternalAuth() object instantiated by the parent process. This eliminates the thread safety risk as the worker only processes one request at a time.\n\n2) It is possible that at any time since the install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from “valid” tokens that were created by the correct user:\n\n/api/controller/v2/tokens/\n/api/controller/v2/applications/<id>/tokens/\n/api/galaxy/v3/auth/token/\n/api/controller/o/token/\n\nBecause it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller, eda).",
            },
         ],
         x_redhatCweChain: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2025-1801",
      datePublished: "2025-03-03T15:03:15.439Z",
      dateReserved: "2025-02-28T20:42:32.553Z",
      dateUpdated: "2025-03-03T15:16:20.194Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2025-1801\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-03-03T15:15:16.500\",\"lastModified\":\"2025-03-03T15:15:16.500\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2025:1954\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-1801\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2349081\",\"source\":\"secalert@redhat.com\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1801\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-03T15:16:01.168075Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-03T15:16:13.013Z\"}}], \"cna\": {\"title\": \"Aap-gateway: aap-gateway privilege escalation\", \"credits\": [{\"lang\": \"en\", \"value\": \"This issue was discovered by Chris Meyers (Red Hat) and Elijah DeLee (Red Hat).\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.5::el9\", \"cpe:/a:redhat:ansible_automation_platform:2.5::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.5 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:2.5.20250305-1.el8ap\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"automation-gateway\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.5::el9\", \"cpe:/a:redhat:ansible_automation_platform:2.5::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.5 for RHEL 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:2.5.20250305-1.el9ap\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"automation-gateway\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-02-28T20:34:52.617000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-03-01T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-03-01T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2025:1954\", \"name\": \"RHSA-2025:1954\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2025-1801\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2349081\", \"name\": \"RHBZ#2349081\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Follow the mitigation steps to avoid the flaw from happening. It is recommended to update the product after the fix is available.\\n\\n\\n1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1\\n\\nThis mitigates problems going FORWARD for the issue because there is only one thread using the ExternalAuth() object instantiated by the parent process. This eliminates the thread safety risk as the worker only processes one request at a time.\\n\\n2) It is possible that at any time since the install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from \\u201cvalid\\u201d tokens that were created by the correct user:\\n\\n/api/controller/v2/tokens/\\n/api/controller/v2/applications/<id>/tokens/\\n/api/galaxy/v3/auth/token/\\n/api/controller/o/token/\\n\\nBecause it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller, eda).\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-03-03T15:03:15.439Z\"}, \"x_redhatCweChain\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')\"}}",
         cveMetadata: "{\"cveId\": \"CVE-2025-1801\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-03T15:16:20.194Z\", \"dateReserved\": \"2025-02-28T20:42:32.553Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-03-03T15:03:15.439Z\", \"assignerShortName\": \"redhat\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.