Threats Tagged 'cve-2024-52304'

Red Hat Ansible Automation Platform 2. 5 has multiple security vulnerabilities including a denial-of-service through data corruption in gRPC-C++ (CVE-2024-11407), potential SQL injection on Oracle (CVE-2024-53908), denial-of-service in Django's strip_tags function (CVE-2024-53907), request smuggling in aiohttp (CVE-2024-52304), and mishandling of non-integer values in nanoid (CVE-2024-55565). Red Hat has released an important security advisory with updates and fixes addressing these issues in version 2. 5. The advisory includes various bug fixes and enhancements across the platform components. The vulnerabilities affect multiple architectures and versions of Red Hat Ansible Automation Platform 2. 5 for RHEL 8 and 9. The vendor advisory confirms that updates are available to remediate these vulnerabilities.

Red Hat Ansible Automation Platform 2. 5 includes a security update addressing a vulnerability in the automation-controller component where the aiohttp library is susceptible to HTTP request smuggling due to incorrect parsing of chunk extensions (CVE-2024-52304). This vulnerability is rated as moderate severity by Red Hat. The update also includes multiple bug fixes and improvements across the platform components. The advisory does not indicate any known exploits in the wild. The update is available as Red Hat Ansible Automation Platform 2. 5 version 4. 6. 3 for automation-controller and related component updates.

Red Hat Satellite 6. 16. 1 includes a security update addressing a vulnerability in the aiohttp library (CVE-2024-52304) that allows HTTP request smuggling due to incorrect parsing of chunk extensions. This vulnerability is rated as moderate severity by Red Hat Product Security. The issue affects Red Hat Satellite 6. 16 for RHEL 8 and 9. Users are advised to upgrade to the updated packages provided by Red Hat to remediate this vulnerability. The update is part of a broader Satellite 6. 16. 1 release that also fixes various bugs.

Red Hat Ansible Automation Platform Execution Environments containers have multiple security vulnerabilities affecting the ee-minimal-container image. These include a request smuggling vulnerability in aiohttp due to incorrect parsing of chunk extensions (CVE-2024-52304) and two sandbox breakout vulnerabilities in Jinja templating through malicious filenames (CVE-2024-56201) and indirect references to the format method (CVE-2024-56326). These issues could allow an attacker to bypass security restrictions within the container environment. Red Hat has issued an important security advisory with updated container images addressing these vulnerabilities.

Red Hat Ansible Automation Platform Execution Environments container images contain multiple security vulnerabilities. These include a request smuggling vulnerability in aiohttp due to incorrect parsing of chunk extensions (CVE-2024-52304) and two sandbox breakout vulnerabilities in Jinja templating through malicious filenames (CVE-2024-56201) and indirect reference to the format method (CVE-2024-56326). These issues affect the ee-minimal-container used in the platform. Red Hat has issued an important security advisory (RHSA-2025:1101) addressing these vulnerabilities with updated container images.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.10.11 fixes the issue.

MediumVulnerabilityGermanyUnited KingdomFrance+5#cve#cve-2024-52304#cwe-444