CVE-2025-49520 Information
Jul 01, 2025
cve
Description
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments this can lead to service account token theft and cluster access.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://access.redhat.com/security/cve/CVE-2025-49520 https://bugzilla.redhat.com/show_bug.cgi?id=2370812
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Related CNNVD
CNNVD-202506-3731 (Published: 2025-06-30)
Share on: