6.7
CVE-2025-9908
- EPSS 0%
- Veröffentlicht 27.02.2026 07:29:32
- Zuletzt bearbeitet 25.03.2026 20:19:13
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Event-driven-ansible: sensitive internal headers disclosure in aap eda event streams
A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastructure headers (such as X-Trusted-Proxy and X-Envoy-*) and event stream URLs via crafted requests and job templates. By exfiltrating these headers, an attacker could spoof trusted requests, escalate privileges, or perform malicious event injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Ansible Automation Platform Version < 2.6
Redhat ≫ Ansible Developer Version1.2
Redhat ≫ Ansible Developer Version1.3
Redhat ≫ Ansible Inside Version1.3
Redhat ≫ Ansible Inside Version1.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0% | 0.002 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 6.7 | 0.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.