We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-49520

Event-driven-ansible: authenticated argument injection in git url in eda project creation



Description

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.

Reserved 2025-06-06 | Published 2025-06-30 | Updated 2025-07-01 | Assigner redhat


HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status
affected

0:1.1.11-1.el8ap before *
unaffected

Default status
affected

0:1.1.11-1.el9ap before *
unaffected

Timeline

2025-06-06:Reported to Red Hat.
2025-06-30:Made public.

References

access.redhat.com/errata/RHSA-2025:9986 (RHSA-2025:9986) vendor-advisory

access.redhat.com/security/cve/CVE-2025-49520 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2370812 (RHBZ#2370812) issue-tracking

cve.org (CVE-2025-49520)

nvd.nist.gov (CVE-2025-49520)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-49520

Support options

Helpdesk Chat, Email, Knowledgebase