| Reporter | Title | Published | Views | Family All 104 |
|---|---|---|---|---|
| Security Bulletin: A denial-of-service attack, TE.CL request smuggling, a man-in-the-middle attack, and other vulnerabilities might affect IBM Storage Defender - Resiliency Service | 16 Apr 202516:15 | – | ibm | |
| Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to Django-4.2.18-py3-none-any.whl CVE-2025-26699 | 3 Jun 202510:57 | – | ibm | |
| CVE-2025-26699 | 6 Mar 202500:00 | – | alpinelinux | |
| The vulnerability of the Django web application software, related to insufficient validation of input data, allows attackers to trigger service failures. | 16 Jul 202500:00 | – | bdu_fstec | |
| CVE-2025-26699 vulnerabilities | 6 Mar 202519:15 | – | cgr | |
| CVE-2025-26699 | 6 Mar 202519:13 | – | circl | |
| Django 安全漏洞 | 6 Mar 202500:00 | – | cnnvd | |
| CVE-2025-26699 | 6 Mar 202500:00 | – | cve | |
| CVE-2025-26699 | 6 Mar 202500:00 | – | cvelist | |
| [BSA-123] Security Update for python-django | 8 Apr 202514:37 | – | debian |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2025:8609. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(237806);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/09");
script_cve_id("CVE-2025-26699");
script_xref(name:"RHSA", value:"2025:8609");
script_name(english:"RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2025:8609)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by a vulnerability as referenced
in the RHSA-2025:8609 advisory.
Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing
IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to
individual teams, while automation developers retain the freedom to write tasks that leverage existing
knowledge without the overhead. Ansible Automation Platform makes it possible for users across an
organization to share, vet, and manage automation content by means of a simple, powerful, and agentless
language.
Security Fix(es):
* python3-django/python39-django: Potential denial-of-service vulnerability in django.utils.text.wrap()
(CVE-2025-26699)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and
other related information, refer to the CVE page(s) listed in the References section.
Updates and fixes included:
Automation controller
* Updated license mechanism to allow users to provide username and password when fetching subscriptions
via the API and AAP User Interface (AAP-46837)
* Fixes Workflow Visualizer occasionally freezing with higher node counts (AAP-46620)
* Fixed 'useThrottle' so the Jobs List page does not spam the API when websocket events roll in
(AAP-46551)
* Fixed analytics collector failure to clean up temporary files after failed upload to Hybrid Cloud
Console (AAP-45967)
* Updated dispatcher to recycle idle workers based on age, or after completing last task. Extended the
default maximum age to 4 hours, configurable by setting 'WORKER_MAX_LIFETIME_SECONDS' to desirable time,
or setting to None to disable worker recycling (AAP-45948)
* Updated help text on the credentials creation page (AAP-45499)
* Added a bulk update sorting utility method to prevent database deadlocks and normalize batch size
(AAP-45122)
* Replaced basic auth with service account authentication for AAP Subscription management (AAP-44642)
* Updated banner on the Credentials form (specifically for Insights credentials) to inform the user to
enter client ID and secret to create an Insights credential (AAP-43235)
* Updated field names and help text in the System Settings UI to indicate client ID and client secret for
service accounts, as well as client ID and client secret for Analytics (AAP-43161)
* Updated banner and field names in the Subscription editing UI to indicate that Ansible subscriptions now
require a service account from Hybrid Cloud Console (AAP-43160)
* automation-controller has been updated to 4.5.23
Automation hub
* Restricted EE pull access to explicitly authorized users (AAP-46525)
* automation-hub has been updated to 4.9.4
* python3-galaxy-ng/python39-galaxy-ng has been updated to 4.9.4
* python3-pulp-ansible/python39-pulp-ansible has been updated to 0.20.11
Additional changes:
* python3-django/python39-django has been updated to 4.2.21
* installer and setup have been updated to 2.4-12
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#moderate");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2348993");
# https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8609.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0477ce90");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2025:8609");
script_set_attribute(attribute:"solution", value:
"Update the affected python3-django and / or python39-django packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-26699");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(400);
script_set_attribute(attribute:"vendor_severity", value:"Moderate");
script_set_attribute(attribute:"vuln_publication_date", value:"2025/03/06");
script_set_attribute(attribute:"patch_publication_date", value:"2025/06/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-django");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-django");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python39-django");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3x-django");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm2.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Red Hat' >!< os_product) audit(AUDIT_OS_NOT, 'Red Hat');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
if (!rhel_check_release_list(operator: 'ge', os_version: os_version, rhel_versions: ['8','9'])) audit(AUDIT_OS_NOT, 'Red Hat 8.x / 9.x', 'Red Hat ' + os_version);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'release': '8',
'repo_relative_urls': [
'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.4/source/SRPMS'
],
'pkgs': [
{'reference':'python39-django-4.2.21-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.4'}
]
},
{
'release': '9',
'repo_relative_urls': [
'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.4/source/SRPMS',
'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.4/debug',
'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.4/os',
'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.4/source/SRPMS'
],
'pkgs': [
{'reference':'python3-django-4.2.21-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.4'}
]
}
];
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var repo_relative_urls;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
if (!empty_or_null(constraint['repo_relative_urls'])) repo_relative_urls = constraint['repo_relative_urls'];
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(rpm:exists_check))) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python3-django / python39-django');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation