csaf_certbund - wid-sec-w-2025-2635

wid-sec-w-2025-2635

Vulnerability from csaf_certbund

Published

2025-11-18 23:00

Modified

2025-11-20 23:00

Summary

Red Hat Ansible Automation Platform: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Red Hat Ansible Automation Platform ist eine End-to-End-Automatisierungsplattform für die Systemkonfiguration, die Softwarebereitstellung und die Orchestrierung erweiterter Workflows.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Ansible Automation Platform ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Ansible Automation Platform ist eine End-to-End-Automatisierungsplattform f\u00fcr die Systemkonfiguration, die Softwarebereitstellung und die Orchestrierung erweiterter Workflows.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Ansible Automation Platform ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2635 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2635.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2635 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2635"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2025-11-18",
        "url": "https://access.redhat.com/errata/RHSA-2025:21706"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2025-11-18",
        "url": "https://access.redhat.com/security/cve/cve-2025-59530"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21768 vom 2025-11-19",
        "url": "https://access.redhat.com/errata/RHSA-2025:21768"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21892 vom 2025-11-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:21892"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:21775 vom 2025-11-20",
        "url": "https://access.redhat.com/errata/RHSA-2025:21775"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Ansible Automation Platform: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2025-11-20T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-21T08:17:57.462+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2635",
      "initial_release_date": "2025-11-18T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-11-18T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-11-19T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-11-20T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.4 for RHEL 9",
                "product": {
                  "name": "Red Hat Ansible Automation Platform \u003c2.4 for RHEL 9",
                  "product_id": "T048729"
                }
              },
              {
                "category": "product_version",
                "name": "2.4 for RHEL 9",
                "product": {
                  "name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
                  "product_id": "T048729-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4_for_rhel_9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.4 for RHEL 8",
                "product": {
                  "name": "Red Hat Ansible Automation Platform \u003c2.4 for RHEL 8",
                  "product_id": "T048730"
                }
              },
              {
                "category": "product_version",
                "name": "2.4 for RHEL 8",
                "product": {
                  "name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
                  "product_id": "T048730-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4_for_rhel_8"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "2.6 for RHEL 9",
                "product": {
                  "name": "Red Hat Ansible Automation Platform 2.6 for RHEL 9",
                  "product_id": "T048744",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ansible_automation_platform:2.6_for_rhel_9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ansible Automation Platform"
          },
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-59530",
      "product_status": {
        "known_affected": [
          "67646",
          "T048729",
          "T048744",
          "T048730"
        ]
      },
      "release_date": "2025-11-18T23:00:00.000+00:00",
      "title": "CVE-2025-59530"
    }
  ]
}

CVE-2025-59530 (GCVE-0-2025-59530)

Vulnerability from cvelistv5

Published

2025-10-10 16:09

Modified

2025-10-10 16:31

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-617 - Reachable Assertion
CWE-755 - Improper Handling of Exceptional Conditions

Summary

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.

References

URL

Tags

	https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw	x_refsource_CONFIRM
	https://github.com/quic-go/quic-go/pull/5354	x_refsource_MISC
	https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	quic-go	quic-go	Version: < 0.49.1 Version: >= 0.5.0, < 0.54.1

Show details on NVD website