A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the user’s assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 02 Apr 2025 06:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Title | Automation-gateway: improper scope handling in oauth2 tokens for aap 2.5 | Automation-gateway: aap-gateway: improper scope handling in oauth2 tokens for aap 2.5 | 
Wed, 18 Dec 2024 04:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Redhat ansible Automation Platform Developer Redhat ansible Automation Platform Inside | |
| CPEs | cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8 cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8 cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9 | |
| Vendors & Products | Redhat ansible Automation Platform Developer Redhat ansible Automation Platform Inside | |
| References |  | 
Tue, 17 Dec 2024 02:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| CPEs | cpe:/a:redhat:ansible_automation_platform:2.5::el8 cpe:/a:redhat:ansible_automation_platform:2.5::el9 | 
Mon, 25 Nov 2024 18:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Mon, 25 Nov 2024 04:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Title | automation-gateway: Improper Scope Handling in OAuth2 Tokens for AAP 2.5 | Automation-gateway: improper scope handling in oauth2 tokens for aap 2.5 | 
| First Time appeared | Redhat Redhat ansible Automation Platform | |
| CPEs | cpe:/a:redhat:ansible_automation_platform:2 | |
| Vendors & Products | Redhat Redhat ansible Automation Platform | |
| References |  | 
Fri, 22 Nov 2024 14:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This issue affects API endpoints that rely on ansible_base.oauth2_provider for OAuth2 authentication. While the impact is limited to actions within the user’s assigned permissions, it undermines scoped access controls, potentially allowing unintended modifications in the application and consuming services. | |
| Title | automation-gateway: Improper Scope Handling in OAuth2 Tokens for AAP 2.5 | |
| Weaknesses | CWE-284 | |
| References |  | |
| Metrics | threat_severity 
 | cvssV3_1 
 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: redhat
Published: 2024-11-25T03:54:34.342Z
Updated: 2025-08-30T09:18:59.041Z
Reserved: 2024-11-20T08:09:27.275Z
Link: CVE-2024-11483
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-11-25T17:15:50.414Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2024-11-25T04:15:03.683
Modified: 2024-12-18T04:15:07.210
Link: CVE-2024-11483
 Redhat
                        Redhat