CVE-2025-5988
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-08-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| red_hat | automation_controller | 4.6.18 |
| red_hat | ansible_automation_platform | 2.5 |
| red_hat | automation_hub | 4.10.6 |
| red_hat | python3.11_django_ansible_base | 2.5.20250730 |
| red_hat | automation_gateway | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the Ansible aap-gateway where Cross-Site Request Forgery (CSRF) origin checking is not performed on requests from the gateway to external components like the controller, hub, and eda. Instead of proper origin verification, the gateway relies only on referer checking for HTTPS requests after TLS edge termination. To exploit this, an attacker needs a valid CSRF form token linked to the victim's CSRF cookie, which requires making a cross-origin request using the victim's cookies to obtain the token. Modern browsers typically block such cross-origin requests, which reduces the likelihood of exploitation. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to perform unauthorized actions on behalf of a user by bypassing CSRF protections in the aap-gateway component. This could lead to unauthorized requests being sent to external components like the controller, hub, and eda, potentially compromising the integrity of operations managed through these components. However, exploitation is mitigated by the need for a valid CSRF token and modern browser restrictions on cross-origin requests. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring requests from the aap-gateway to external components (controller, hub, eda) for missing CSRF origin checks. Since the vulnerability relates to missing origin verification on these requests, you can inspect HTTP requests for absence of proper CSRF origin headers or tokens. Network traffic analysis tools like tcpdump or Wireshark can be used to capture and analyze such requests. For example, you can use commands like 'tcpdump -i <interface> -A port 443' to capture HTTPS traffic and then inspect for CSRF tokens or origin headers. Additionally, reviewing application logs for suspicious cross-origin requests without proper origin verification may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the aap-gateway to trusted users and networks to reduce the risk of CSRF attacks. Applying any available patches or updates from the vendor addressing this vulnerability is critical. Additionally, enforcing strict origin checking on requests from the gateway to external components, or implementing additional CSRF protections such as validating CSRF tokens on all requests, can help mitigate the issue. Monitoring for suspicious activity and limiting the use of cross-origin requests involving the gateway can also reduce risk. [1]