CVE-2025-7738

MEDIUM

Ansible AAP - Info Disclosure

Title source: llm

Description

A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited to privileged users, the clear text exposure of sensitive credentials increases the risk of accidental leaks or misuse.

References (5)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:12772

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-7738

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2381589

[Patch] https://github.com/ansible/django-ansible-base/commit/e241ea4dce8df577eda15301e0a8e61be647b27b

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/ansible/django-ansible-base/pull/773

Scores

CVSS v3 4.4

EPSS 0.0003

EPSS Percentile 10.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-312

Status published

Products (3)

Ansible/django-ansible-base < 2025.7.22

Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 8 0:2.5.20250730-1.el8ap

Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 9 0:2.5.20250730-1.el9ap

Published Jul 31, 2025

Tracked Since Feb 18, 2026