Red Hat Ansible Automation Platform 2.4 for RHEL 8 and 9 contains several security vulnerabilities: CVE-2024-45801 is an XSS vulnerability in automation-controller caused by prototype pollution in dompurify; CVE-2024-45296 is a Regular Expression Denial of Service (ReDoS) in automation-controller's path-to-regexp component; CVE-2024-8775 involves exposure of sensitive information in Ansible Vault files due to improper logging in ansible-core; CVE-2024-9902 allows the ansible-core user to read or write unauthorized content. Red Hat has released updated packages (automation-controller 4.5.13, receptor 1.5.1, installer 2.4-8, ansible-core 2.15.13) that fix these vulnerabilities and other bugs. The advisory emphasizes backing up before and after upgrading. No CVSS scores are provided in the advisory, but the overall impact is rated moderate by Red Hat.

The vulnerabilities collectively could allow attackers to execute cross-site scripting attacks, cause denial of service via ReDoS, expose sensitive information from Ansible Vault files, and allow unauthorized read/write access by the ansible-core user. These impacts could compromise confidentiality, integrity, and availability of the automation platform and its managed systems. The vendor rates the overall security impact as moderate.

Red Hat has released official fixes for these vulnerabilities in Red Hat Ansible Automation Platform 2.4. Users should upgrade to the updated packages: automation-controller 4.5.13, receptor 1.5.1, installer 2.4-8, and ansible-core 2.15.13 or later. The advisory notes that the 2.4-8 installer can only restore backups created with 2.4-8 or later, so backups should be made before and after upgrading. Applying these updates will remediate the described vulnerabilities and address related bugs. No additional mitigation steps are indicated by the vendor.