{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1801", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-02-28T20:42:32.553Z", "datePublished": "2025-03-03T15:03:15.439Z", "dateUpdated": "2025-09-25T17:43:58.119Z"}, "containers": {"cna": {"title": "Aap-gateway: aap-gateway privilege escalation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable."}], "affected": [{"versions": [{"status": "affected", "version": "2.5.0", "lessThan": "2.5.20250305-1", "versionType": "rpm"}], "packageName": "automation-gateway", "collectionURL": "https://ansible.com", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-gateway", "defaultStatus": "affected", "versions": [{"version": "0:2.5.20250305-1.el8ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "automation-gateway", "defaultStatus": "affected", "versions": [{"version": "0:2.5.20250305-1.el9ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1954", "name": "RHSA-2025:1954", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1801", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349081", "name": "RHBZ#2349081", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-03-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "description": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "workarounds": [{"lang": "en", "value": "Follow the mitigation steps to avoid the flaw from happening. It is recommended to update the product after the fix is available.\n\n\n1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1\n\nThis mitigates problems going FORWARD for the issue because there is only one thread using the ExternalAuth() object instantiated by the parent process. This eliminates the thread safety risk as the worker only processes one request at a time.\n\n2) It is possible that at any time since the install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from \u201cvalid\u201d tokens that were created by the correct user:\n\n/api/controller/v2/tokens/\n/api/controller/v2/applications/<id>/tokens/\n/api/galaxy/v3/auth/token/\n/api/controller/o/token/\n\nBecause it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller, eda)."}], "timeline": [{"lang": "en", "time": "2025-02-28T20:34:52.617000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-01T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Chris Meyers (Red Hat) and Elijah DeLee (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-09-25T17:43:58.119Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T15:16:01.168075Z", "id": "CVE-2025-1801", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T15:16:20.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1801", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-03T15:16:01.168075Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T15:16:13.013Z"}}], "cna": {"title": "Aap-gateway: aap-gateway privilege escalation", "credits": [{"lang": "en", "value": "This issue was discovered by Chris Meyers (Red Hat) and Elijah DeLee (Red Hat)."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "2.5.0", "lessThan": "2.5.20250305-1", "versionType": "rpm"}], "packageName": "automation-gateway", "collectionURL": "https://ansible.com", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.5.20250305-1.el8ap", "lessThan": "*", "versionType": "rpm"}], "packageName": "automation-gateway", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2.5::el8", "cpe:/a:redhat:ansible_automation_platform:2.5::el9"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.5.20250305-1.el9ap", "lessThan": "*", "versionType": "rpm"}], "packageName": "automation-gateway", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-02-28T20:34:52.617000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-03-01T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-03-01T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1954", "name": "RHSA-2025:1954", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1801", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349081", "name": "RHBZ#2349081", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Follow the mitigation steps to avoid the flaw from happening. It is recommended to update the product after the fix is available.\n\n\n1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1\n\nThis mitigates problems going FORWARD for the issue because there is only one thread using the ExternalAuth() object instantiated by the parent process. This eliminates the thread safety risk as the worker only processes one request at a time.\n\n2) It is possible that at any time since the install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from \u201cvalid\u201d tokens that were created by the correct user:\n\n/api/controller/v2/tokens/\n/api/controller/v2/applications/<id>/tokens/\n/api/galaxy/v3/auth/token/\n/api/controller/o/token/\n\nBecause it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller, eda)."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-09-25T17:43:58.119Z"}, "x_redhatCweChain": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}}, "cveMetadata": {"cveId": "CVE-2025-1801", "state": "PUBLISHED", "dateUpdated": "2025-09-25T17:43:58.119Z", "dateReserved": "2025-02-28T20:42:32.553Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-03-03T15:03:15.439Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable."}], "id": "CVE-2025-1801", "lastModified": "2025-03-03T15:15:16.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2025-03-03T15:15:16.500", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1954"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-1801"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349081"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Chris Meyers (Red Hat) and Elijah DeLee (Red Hat).", "affected_release": [{"advisory": "RHSA-2025:1954", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package": "automation-gateway-0:2.5.20250305-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date": "2025-03-01T00:00:00Z"}, {"advisory": "RHSA-2025:1954", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package": "automation-gateway-0:2.5.20250305-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date": "2025-03-01T00:00:00Z"}], "bugzilla": {"description": "aap-gateway: aap-gateway privilege escalation", "id": "2349081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349081"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-362", "details": ["A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable.", "A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, enabling the server to be jeopardized. A user session or confidential data might be vulnerable."], "mitigation": {"lang": "en:us", "value": "Follow the mitigation steps to avoid the flaw from happening. It is recommended to update the product after the fix is available.\n1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1\nThis mitigates problems going FORWARD for the issue because there is only one thread using the ExternalAuth() object instantiated by the parent process. This eliminates the thread safety risk as the worker only processes one request at a time.\n2) It is possible that at any time since the install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from \u201cvalid\u201d tokens that were created by the correct user:\n/api/controller/v2/tokens/\n/api/controller/v2/applications/<id>/tokens/\n/api/galaxy/v3/auth/token/\n/api/controller/o/token/\nBecause it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller, eda)."}, "name": "CVE-2025-1801", "public_date": "2025-03-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1801\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1801"], "statement": "Red Hat has evaluated this vulnerability. This issue only affects versions AAP 2.5 GA and onwards.", "threat_severity": "Important"}