This Red Hat Security Advisory (RHSA-2024:8534) addresses multiple vulnerabilities in Red Hat Ansible Automation Platform 2.5. The issues fixed include a cross-site scripting vulnerability (CVE-2024-10033) in the automation-gateway component, memory exhaustion vulnerabilities in Django utilities (CVE-2024-41989 and CVE-2024-45230) used by the automation-controller, and a memory exhaustion attack against the QUIC connection ID mechanism in receptor (CVE-2024-22189). The update also provides support for upgrades from version 2.4 to 2.5 and includes various component updates and enhancements. The advisory rates the overall security impact as moderate and does not provide CVSS scores within the advisory itself, directing users to the CVE pages for detailed scoring.

The vulnerabilities fixed in this update could allow an attacker to cause memory exhaustion or denial-of-service conditions in affected components, and in the case of CVE-2024-10033, perform cross-site scripting attacks via the automation-gateway. These issues could disrupt the availability or integrity of the Ansible Automation Platform services. The advisory rates the impact as moderate, indicating that while these vulnerabilities are significant, they do not represent critical or high-severity risks based on current information.

Red Hat has released an official product update for Ansible Automation Platform 2.5 that addresses these vulnerabilities. Users should apply the update to upgrade to the fixed versions of the affected components, including automation-controller 4.6.2, automation-gateway 2.5.3, receptor 1.4.9, and related packages. The update supports upgrades from version 2.4 to 2.5 for both RPM and Operator-based deployments. No additional mitigation steps are indicated beyond applying the official update. Patch status is confirmed by the vendor advisory.