CVE-2025-2877

MEDIUM 6.5

Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda

CVSS Score

6.5

EPSS Score

0.3%

EPSS Percentile

49th

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

CWE	CWE-1295
Published	Mar 28, 2025
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Red Hat / Red Hat Ansible Automation Platform 2.4 for RHEL 8

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2.4 for RHEL 9

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2.5 for RHEL 8

All versions affected

Red Hat / Red Hat Ansible Automation Platform 2.5 for RHEL 9

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3636 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3637 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-2877 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2355540 github.com: https://github.com/ansible/ansible-rulebook/pull/767