Impact
A flaw in the AWX GitHub webhook integration lets an attacker who signs a forged pull_request webhook emulate a legitimate callback. The controller stores the pull_request.statuses_url from the payload without validating it points to a trusted GitHub API and later POSTs the job template’s Personal Access Token to that URL when reporting job status updates. This allows the attacker to redirect the callback to an arbitrary URL and exfiltrate the PAT, giving access to the attacker’s GitHub repository and any actions the token permits. The weakness is characterized as an unsafe input leading to an SSRF and credential leakage (CWE‑918).
Affected Systems
The vulnerability impacts Red Hat Ansible Automation Platform 2. All installations using the GitHub webhook integration are exposed when a job template is configured with a GitHub Personal Access Token as its webhook credential.
Risk and Exploitability
With a CVSS score of 6.3 the flaw is of moderate severity. Exploitation requires access to a valid job template webhook key and the ability to supply a signed GitHub pull_request webhook with a malicious callback URL. The EPSS score is not available, but the risk is realistic if webhook keys are exposed or stolen. The vulnerability is not listed in CISA KEV and no public patch is documented, so the risk remains until a vendor fix is released.
OpenCVE Enrichment