CVE-2024-11483
Automation-gateway: aap-gateway: improper scope handling in oauth2 tokens for aap 2.5
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the userβs assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services.
| CWE | CWE-284 |
| Published | Nov 25, 2024 |
| Last Updated | Nov 20, 2025 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new medium vulnerabilities are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected Versions
Red Hat / Red Hat Ansible Automation Platform 2.5 for RHEL 8
All versions affected Red Hat / Red Hat Ansible Automation Platform 2.5 for RHEL 9
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2024:11145 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-11483 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2327579 github.com: https://github.com/ansible/django-ansible-base/commit/845b3e1838cc0762a7f9f3e0379c5274519d9a44
Credits
Red Hat would like to thank David Newswanger (RedHat) and Rick Elrod (RedHat) for reporting this issue.