This advisory covers three main vulnerabilities in Red Hat Ansible Automation Platform 2.4: two sandbox breakout vulnerabilities in Jinja2 templating (CVE-2024-56201 and CVE-2024-56326) that allow escaping the sandbox through indirect references to the format method and malicious filenames, and a potential SQL injection vulnerability (CVE-2024-53908) in the HasKey(lhs, rhs) function when used with Oracle databases. These issues affect the automation-controller component and the python3-jinja2 package. Red Hat has released updated packages including automation-controller 4.5.17 and python3-jinja2 3.1.5 that address these vulnerabilities. Additional bug fixes and improvements are included in these updates. The advisory does not provide CVSS scores but rates the impact as Important.

The vulnerabilities could allow an attacker to escape the Jinja sandbox restrictions, potentially leading to unauthorized code execution or manipulation within the automation environment. The SQL injection vulnerability could allow an attacker to execute arbitrary SQL commands on Oracle databases through the HasKey(lhs, rhs) function, potentially compromising data integrity or confidentiality. These impacts affect the security and reliability of automation workflows managed by the platform.

Red Hat has released official fixes for these vulnerabilities in automation-controller version 4.5.17 and python3-jinja2 version 3.1.5 as part of the Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update. Users should apply these updates promptly to remediate the security issues. The vendor advisory confirms these fixes are available and no additional mitigation steps are indicated beyond applying the updated packages.