RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:9986)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2025:9986. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(241026);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/24");

  script_cve_id("CVE-2025-22871", "CVE-2025-49520", "CVE-2025-49521");
  script_xref(name:"RHSA", value:"2025:9986");
  script_xref(name:"IAVA", value:"2025-A-0778");

  script_name(english:"RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:9986)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2025:9986 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing
    IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to
    individual teams, while automation developers retain the freedom to write tasks that leverage existing
    knowledge without the overhead. Ansible Automation Platform makes it possible for users across an
    organization to share, vet, and manage automation content by means of a simple, powerful, and agentless
    language.

    Security Fix(es):

    * automation-eda-controller: Template Injection via Git Branch and Refspec in EDA Projects
    (CVE-2025-49521)
    * automation-eda-controller: Authenticated Argument Injection in Git URL in EDA Project Creation
    (CVE-2025-49520)
    * automation-gateway-proxy: Request smuggling due to acceptance of invalid chunked data in net/http
    (CVE-2025-22871)
    * automation-gateway-proxy-openssl30: Request smuggling due to acceptance of invalid chunked data in
    net/http (CVE-2025-22871)
    * automation-gateway-proxy-openssl32: Request smuggling due to acceptance of invalid chunked data in
    net/http (CVE-2025-22871)
    * receptor: Request smuggling due to acceptance of invalid chunked data in net/http (CVE-2025-22871)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and
    other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    Automation Platform
    * Updated API error messaging to be more helpful in the event a user logs in as the admin user via legacy
    auth on one component, then tries to do so via the other component (AAP-47541)
    * Fixed an issue where API records could be missing or duplicated across pages (AAP-47504)
    * Refactored V1RootView.get() and improve reverse lookup logic (AAP-47366)
    * Refactored process_statuses() method to reduce its cognitive complexity (AAP-47341)
    * Improved accuracy of openapi API docs and schema (AAP-46639)
    * Reduced the cognitive complexity of method migrate_resource() in migrate_service_data.py from 56 to <=15
    (AAP-45822)
    * Reduced the cognitive complexity of the process_fields() method in serializers/preference.py file
    (AAP-45820)
    * Reduced the cognitive complexity of unique_fields_for_model() method to below 15 (AAP-45819)
    * Enable query filtering for fields user_ansible_id, team_ansible_id, and object_ansible_id on the role
    assignment API endpoints (AAP-45443)
    * The Survey form is displayed for a Worlflow visualizer Job template or Workflow Job template node with a
    survey enabled and no Prompt on Launch fields (AAP-47732)
    * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both
    Prompt on Launch and Survey enabled (AAP-47668)
    * The API feature flags used to hide references to Policy as Code in the UI have been removed. All Policy
    as Code fields appear for all users at all times (AAP-47006)
    * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both
    Prompt on Launch and Survey enabled (AAP-46813)
    * On the inventory source form, for a source type of 'VMware ESXi' the user will be able to select
    credentials of type 'VMware vCenter' (AAP-46784)
    * Fixed a bug  when selecting the 'Comparison' field for Atrriibute trigger in the Authenticator Map form
    (AAP-46555)
    * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both
    Prompt on Launch and Survey enabled (AAP-45834)
    * added an extra validation to handle incorrect user input in the variables field, as the API doesn't
    return an error for it (AAP-42563)
    * Fixed a bug that was causing the UI to throw an error when launching a workflow job template with both
    Prompt on Launch and Survey enabled (AAP-42303)
    * The Hosts links in the Resource Counts section of the overview page were fixed to redirect to the Hosts
    page (AAP-42288)
    * Allows role assignments using object_ansible_id in the role_user_assignment module (AAP-48042)
    * Improved documentation and examples related to object_id and object_ansible_id parameters in
    role_user_assignment module (AAP-48041)
    * Allows object_id field in role_user_assignment module to accept a list of items (AAP-47979)
    * Fixed an example task in ansible.platform.token module (AAP-47976)
    * Specify correct aap_* parameters in ansible.platform.token module (AAP-47975)
    * Improved documentation and examples for authenticator and authenticator_map modules (AAP-45982)
    * Updated documentation examples for the ansible.platform.settings module with tested tasks examples
    (AAP-45954)
    * Added a new section in the collection README describing how to authenticate to AAP from the playbook
    (AAP-45578)
    * Ensures that modules in the ansible.platform collection accepts AAP_* variable for authentication
    (AAP-45363)
    * Fixed ansible.platform.user not adding users to organizations (AAP-45248)
    * Allows running ansible.platform collection modules in check_mode (AAP-45246)
    * Added missing option in the ansible.platform.user module to allow setting the is_platform_auditor flag
    on a user (AAP-45244)
    * automation-gateway has been updated to 2.5.20250702
    * automation-gateway-proxy has been updated to 2.5.10-2
    * automation-gateway-proxy-openssl30 has been updated to 2.6.6-2
    * automation-gateway-proxy-openssl32 has been updated to 2.6.6-2
    * python3.11-django-ansible-base has been updated to 2.5.20250702

    Automation controller
    * Fixed database deadlock by means of 'awx_callback_receiver_worker' and 'awx_dispatcher_worker' while
    they attempted to update hosts 'last_job_id' and 'ansible_facts' in two separate commands (AAP-46038)
    * Fixed race condition where job templates with duplicate names in the same organization could be created
    (AAP-45968)
    * Fixed a bug where some credential types were not populated after upgrading. This adds a new migration to
    accomplish this (AAP-44233)
    * Updated controller to reduce the number of large amount of jobs queued stuck in waiting status
    (AAP-44143)
    * receptor: Handle EOF correctly when pod is ready (AAP-46484)
    * receptor: removed connections that have cancelled context (AAP-47996)
    * automation-controller has been updated to 4.6.16
    * receptor has been updated to 1.5.7

    Automation hub
    * Any user can search and filter using ai keywords to find AI related collections (AAP-43138)
    * automation-hub has been updated to 4.10.5
    * python3.11-galaxy-importer has been updated to 0.4.31
    * python3.11-galaxy-ng has been updated to 4.10.5
    * python3.11-pulp-ansible has been updated to 0.25.1
    * python3.11-pulpcore has been updated to 3.49.42

    Event-Driven Ansible
    * Fixed an issue where the activation hangs when gather_facts is set to true in a rulebook, gather_facts
    is available only when running ansible-rulebook as a CLI (AAP-47846)
    * Fixed a bug where DE images that use an SHA digest in the URI would fail to pull (AAP-47725)
    * API REST now supports the edition of the url of the project (AAP-47459)
    * Added validations to URL, branch/tag/commit, and refspec fields when create or update a project
    (AAP-47227)
    * Project resync is now triggered automatically when url/branch/scm_refspec is modified (AAP-46254)
    * Relevant settings and versions are emitted in logs when the worker starts (AAP-40984)
    * ansible-rulebook has been updated to 1.1.7
    * automation-eda-controller has been updated to 1.1.11
    * python3.11-websockets has been updated to 15.0

    Container-based Ansible Automation Platform
    * Fixed an issue with the Redis socket mount point permissions (AAP-48230)
    * Fixed TLS Certificate Authority (CA) certificate for Receptor mesh configuration when providing TLS
    certificates not signed by the internal CA (AAP-48065)
    * Fixed missing user parameter for the sos report command on the log_gathering playbook (AAP-47718)
    * Validate that nodes are configured with at least 16G of RAM (AAP-47542)
    * Fixed jquery version in the redirect page (AAP-47074)
    * containerized installer setup has been updated to 2.5-16

    RPM-based Ansible Automation Platform
    * Fixed issue where redis-platform would not restart on restore (AAP-47689)
    * Old service nodes are now removed from gateway when the installer runs with a new host or new host names
    (AAP-47651)
    * Fixed an issue where restore was failing when a non-default port was used for AAP managed database
    (AAP-47639)
    * Fixed an issue where some pages didn't render properly when non-default umask was being used (AAP-47377)
    * Fixed issue where EDA script was not starting nginx on restart (AAP-46511)
    * Credentials associated to decision environments will now be updated with the site information defined in
    the source inventory during restore (AAP-46271)
    * Receptor certificate tasks will no longer require switching to receptor user (AAP-46189)
    * Fixed issue where the firewall was not opening event stream ports (AAP-45684)
    * ansible-automation-platform-installer and installer setup have been updated to 2.5-15

    Additional changes:
    * ansible-creator has been updated to 25.5.0
    * ansible-dev-environment has been updated to 25.5.0
    * ansible-dev-tools has been updated to 25.5.2
    * ansible-lint has been updated to 25.5.0
    * ansible-navigator has been updated to 25.5.0
    * molecule has been updated to 25.5.0
    * python3.11-ansible-compat has been updated to 25.5.0
    * python3.11-dispatcherd has been added
    * python3.11-dynaconf has been updated to 3.2.11
    * python3.11-psycopg has been updated to 3.2.7
    * python3.11-pytest-ansible has been updated to 25.5.0
    * python3.11-tox-ansible has been updated to 25.5.0

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2358493");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2370812");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2370817");
  script_set_attribute(attribute:"see_also", value:"https://issues.redhat.com/browse/AAP-42288");
  # https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_9986.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cbea72d2");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2025:9986");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-22871");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(88, 94, 444);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-eda-controller");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-base-services");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-event-stream-services");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-eda-controller-worker-services");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy-openssl30");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy-openssl30-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy-openssl32");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy-openssl32-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:automation-gateway-proxy-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:receptor");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:receptorctl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Red Hat' >!< os_product) audit(AUDIT_OS_NOT, 'Red Hat');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
if (!rhel_check_release_list(operator: 'ge', os_version: os_version, rhel_versions: ['8','9'])) audit(AUDIT_OS_NOT, 'Red Hat 8.x / 9.x', 'Red Hat ' + os_version);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'release': '8',
    'repo_relative_urls': [
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/aarch64/ansible-developer/1.2/debug',
      'content/dist/layered/rhel8/aarch64/ansible-developer/1.2/os',
      'content/dist/layered/rhel8/aarch64/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel8/aarch64/ansible-inside/1.3/debug',
      'content/dist/layered/rhel8/aarch64/ansible-inside/1.3/os',
      'content/dist/layered/rhel8/aarch64/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/ppc64le/ansible-developer/1.2/debug',
      'content/dist/layered/rhel8/ppc64le/ansible-developer/1.2/os',
      'content/dist/layered/rhel8/ppc64le/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel8/ppc64le/ansible-inside/1.3/debug',
      'content/dist/layered/rhel8/ppc64le/ansible-inside/1.3/os',
      'content/dist/layered/rhel8/ppc64le/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/s390x/ansible-developer/1.2/debug',
      'content/dist/layered/rhel8/s390x/ansible-developer/1.2/os',
      'content/dist/layered/rhel8/s390x/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel8/s390x/ansible-inside/1.3/debug',
      'content/dist/layered/rhel8/s390x/ansible-inside/1.3/os',
      'content/dist/layered/rhel8/s390x/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/x86_64/ansible-developer/1.2/debug',
      'content/dist/layered/rhel8/x86_64/ansible-developer/1.2/os',
      'content/dist/layered/rhel8/x86_64/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel8/x86_64/ansible-inside/1.3/debug',
      'content/dist/layered/rhel8/x86_64/ansible-inside/1.3/os',
      'content/dist/layered/rhel8/x86_64/ansible-inside/1.3/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'receptor-1.5.7-2.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'receptorctl-1.5.7-2.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']}
    ]
  },
  {
    'release': '8',
    'repo_relative_urls': [
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/aarch64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/ppc64le/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/s390x/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel8/x86_64/ansible-automation-platform/2.5/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'automation-eda-controller-1.1.11-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-base-1.1.11-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-base-services-1.1.11-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-event-stream-services-1.1.11-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-worker-services-1.1.11-1.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-gateway-proxy-2.5.10-2.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'automation-gateway-proxy-server-2.5.10-2.el8ap', 'el_string':'el8ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']}
    ]
  },
  {
    'release': '9',
    'repo_relative_urls': [
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/aarch64/ansible-developer/1.2/debug',
      'content/dist/layered/rhel9/aarch64/ansible-developer/1.2/os',
      'content/dist/layered/rhel9/aarch64/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel9/aarch64/ansible-inside/1.3/debug',
      'content/dist/layered/rhel9/aarch64/ansible-inside/1.3/os',
      'content/dist/layered/rhel9/aarch64/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/ppc64le/ansible-developer/1.2/debug',
      'content/dist/layered/rhel9/ppc64le/ansible-developer/1.2/os',
      'content/dist/layered/rhel9/ppc64le/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel9/ppc64le/ansible-inside/1.3/debug',
      'content/dist/layered/rhel9/ppc64le/ansible-inside/1.3/os',
      'content/dist/layered/rhel9/ppc64le/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/s390x/ansible-developer/1.2/debug',
      'content/dist/layered/rhel9/s390x/ansible-developer/1.2/os',
      'content/dist/layered/rhel9/s390x/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel9/s390x/ansible-inside/1.3/debug',
      'content/dist/layered/rhel9/s390x/ansible-inside/1.3/os',
      'content/dist/layered/rhel9/s390x/ansible-inside/1.3/source/SRPMS',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/x86_64/ansible-developer/1.2/debug',
      'content/dist/layered/rhel9/x86_64/ansible-developer/1.2/os',
      'content/dist/layered/rhel9/x86_64/ansible-developer/1.2/source/SRPMS',
      'content/dist/layered/rhel9/x86_64/ansible-inside/1.3/debug',
      'content/dist/layered/rhel9/x86_64/ansible-inside/1.3/os',
      'content/dist/layered/rhel9/x86_64/ansible-inside/1.3/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'receptor-1.5.7-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'receptorctl-1.5.7-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']}
    ]
  },
  {
    'release': '9',
    'repo_relative_urls': [
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/aarch64/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/ppc64le/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/s390x/ansible-automation-platform/2.5/source/SRPMS',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/debug',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/os',
      'content/dist/layered/rhel9/x86_64/ansible-automation-platform/2.5/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'automation-eda-controller-1.1.11-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-base-1.1.11-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-base-services-1.1.11-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-event-stream-services-1.1.11-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-eda-controller-worker-services-1.1.11-1.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-49520', 'CVE-2025-49521']},
      {'reference':'automation-gateway-proxy-openssl30-2.6.6-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'automation-gateway-proxy-openssl30-server-2.6.6-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'automation-gateway-proxy-openssl32-2.6.6-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']},
      {'reference':'automation-gateway-proxy-openssl32-server-2.6.6-2.el9ap', 'el_string':'el9ap', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'automation-hub-2.5', 'cves':['CVE-2025-22871']}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var repo_relative_urls;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }

  if (!empty_or_null(constraint['repo_relative_urls'])) repo_relative_urls = constraint['repo_relative_urls'];

  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(rpm:exists_check))) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'automation-eda-controller / automation-eda-controller-base / etc');
}