5.3

CVE-2025-5988

Aap-gateway: csrf origin checking is disabled

A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://gitlab.cee.redhat.com/ansible/aap-gateway/
Paket automation-gateway-server
Default Statusunaffected
Version 0
Version < 2.5.20250730
Status affected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.5 for RHEL 8
Default Statusaffected
Version 0:2.5.20250730-2.el8ap
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.5 for RHEL 9
Default Statusaffected
Version 0:2.5.20250730-2.el9ap
Version < *
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.161
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 5.3 1.6 3.6
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

https://access.redhat.com/security/cve/CVE-2025-5988
https://bugzilla.redhat.com/show_bug.cgi?id=2371644
https://access.redhat.com/errata/RHSA-2025:12772