We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access.
Reserved 2025-06-06 | Published 2025-06-30 | Updated 2025-07-01 | Assigner redhatImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')
2025-06-06: | Reported to Red Hat. |
2025-06-30: | Made public. |
access.redhat.com/errata/RHSA-2025:9986 (RHSA-2025:9986)
access.redhat.com/security/cve/CVE-2025-49520
bugzilla.redhat.com/show_bug.cgi?id=2370812 (RHBZ#2370812)
Support options