Red Hat Ansible Automation Platform 2.4 for RHEL 8 and 9 has multiple security fixes addressing four CVEs: CVE-2024-7143 fixes incorrect RBAC permissions assignment in pulpcore tasks that create objects; CVE-2024-37891 fixes urllib3's failure to strip proxy-authorization headers during cross-origin redirects; CVE-2024-24790 addresses unexpected behavior in golang net/netip Is methods for IPv4-mapped IPv6 addresses; and CVE-2024-24788 resolves an infinite loop caused by malformed DNS messages in golang net package. These vulnerabilities are rated moderate in severity by Red Hat Product Security. Updated packages for automation-controller, python3-pulpcore, python3-urllib3, receptor, and python3-django have been released to remediate these issues. The advisory includes detailed package versions and SHA-256 checksums. No cloud service is involved, and no known active exploitation has been reported.

The vulnerabilities could lead to improper access control due to RBAC misconfiguration, potential leakage of proxy-authorization headers during redirects, unexpected behavior in IP address handling, and denial of service via infinite loops in DNS processing. These issues may affect the security and stability of the Ansible Automation Platform environment if unpatched. However, no known exploits in the wild have been reported at this time. The overall impact is rated moderate by Red Hat.

Red Hat has released official patches addressing all identified vulnerabilities in Ansible Automation Platform 2.4 and related components. Users should apply the updates to automation-controller (version 4.5.11), python3-pulpcore (3.28.32), python3-urllib3 (1.26.20), receptor (1.4.8-1.1), and python3-django (4.2.16) as provided in the advisory RHSA-2024:6765. Applying these updates will remediate the security issues. No additional mitigation actions are indicated by the vendor advisory.