This advisory covers three security vulnerabilities in Red Hat Ansible Automation Platform 2.4's automation-controller: CVE-2024-28102 involves a denial of service via malicious JWE tokens in the jwcrypto library; CVE-2024-34064 concerns jinja2 accepting keys with non-attribute characters potentially leading to unexpected behavior; CVE-2024-35195 allows subsequent HTTP requests to the same host to ignore certificate verification due to a flaw in the requests library. Red Hat has issued an update to automation-controller version 4.5.8 that addresses these issues along with other bug fixes. The vulnerabilities are rated as moderate in severity by Red Hat Product Security. The advisory does not provide CVSS scores but references CVE pages for detailed scoring. No known active exploitation has been reported. The update also includes fixes for configuration handling and role deletion behavior.

The vulnerabilities could allow denial of service via malicious JWE tokens, potential security bypass or unexpected behavior due to improper key handling in jinja2 templates, and weakened TLS certificate verification in HTTP requests. These issues could impact the reliability and security of automation workflows managed by the platform. The overall security impact is rated moderate by Red Hat. There are no reports of known exploits in the wild at this time.

Red Hat has released an official fix in automation-controller version 4.5.8 and related component updates for Ansible Automation Platform 2.4. Users should apply these updates promptly to remediate the vulnerabilities. The vendor advisory confirms the availability of these fixes. No additional mitigation steps beyond applying the official update are indicated.