Filtered by vendor Redhat Subscriptions
Filtered by product Ansible Automation Platform Subscriptions
Total 130 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-24680 2 Djangoproject, Redhat 6 Django, Ansible Automation Platform, Openstack and 3 more 2024-08-01 7.5 High
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2024-23334 3 Aiohttp, Fedoraproject, Redhat 6 Aiohttp, Fedora, Ansible Automation Platform and 3 more 2024-08-01 5.9 Medium
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.
CVE-2024-22195 2 Palletsprojects, Redhat 9 Jinja, Ansible Automation Platform, Ceph Storage and 6 more 2024-08-01 5.4 Medium
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
CVE-2024-21503 2 Python Software Foundation, Redhat 2 Black, Ansible Automation Platform 2024-08-01 5.3 Medium
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
CVE-2024-21520 2 Django-rest-framework, Redhat 2 Django Rest Framework, Ansible Automation Platform 2024-08-01 6.1 Medium
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.
CVE-2024-5569 1 Redhat 4 Ansible Automation Platform, Openshift Ironic, Satellite and 1 more 2024-08-01 6.2 Medium
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
CVE-2024-4340 1 Redhat 1 Ansible Automation Platform 2024-08-01 7.5 High
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
CVE-2024-3772 1 Redhat 1 Ansible Automation Platform 2024-08-01 5.9 Medium
Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.
CVE-2024-3651 2 Kjd, Redhat 8 Internationalized Domain Names In Applications, Ansible Automation Platform, Enterprise Linux and 5 more 2024-08-01 7.5 High
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.
CVE-2024-1135 1 Redhat 5 Ansible Automation Platform, Openshift, Openstack and 2 more 2024-08-01 N/A
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.