RHSA-2026:2181

Vulnerability from csaf_redhat - Published: 2026-02-05 18:57 - Updated: 2026-02-06 01:32
Summary
Red Hat Security Advisory: Self-service automation portal 2.1 security update

Notes

Topic
Updated images are now available for Self-service automation portal 2.1, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.
Details
Self-service automation portal 2.1 delivers an Ansible-first Red Hat Developer Hub user experience that simplifies the automation experience for Ansible users of all skill levels. The Ansible plug-ins provide curated content and features to accelerate Ansible learner onboarding and streamline Ansible use case adoption across your organization. Security Fix(es): * automation-portal * CVE-2025-61140
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated images are now available for Self-service automation portal 2.1, which include new features, bug fixes, and enhancements for Red Hat Ansible Automation Platform integration with Red Hat Developer Hub.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Self-service automation portal 2.1 delivers an Ansible-first Red Hat Developer Hub\nuser experience that simplifies the automation experience for Ansible users of all skill levels.\nThe Ansible plug-ins provide curated content and features to accelerate Ansible learner\nonboarding and streamline Ansible use case adoption across your organization.\nSecurity Fix(es):\n  * automation-portal \n    * CVE-2025-61140",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:2181",
        "url": "https://access.redhat.com/errata/RHSA-2026:2181"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2025-61140",
        "url": "https://access.redhat.com/security/cve/CVE-2025-61140"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform",
        "url": "https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_2181.json"
      }
    ],
    "title": "Red Hat Security Advisory: Self-service automation portal 2.1 security update",
    "tracking": {
      "current_release_date": "2026-02-06T01:32:48+00:00",
      "generator": {
        "date": "2026-02-06T01:32:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2026:2181",
      "initial_release_date": "2026-02-05T18:57:03+00:00",
      "revision_history": [
        {
          "date": "2026-02-05T18:57:03+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-02-05T18:57:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-06T01:32:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Self-service automation portal 2.1",
                "product": {
                  "name": "Self-service automation portal 2.1",
                  "product_id": "Self-service automation portal 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:ansible_portal:2.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Self-service automation portal"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
                "product": {
                  "name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
                  "product_id": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/automation-portal@sha256%3A140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76?arch=amd64\u0026repository_url=registry.redhat.io/ansible-automation-platform\u0026tag=1770282458"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64 as a component of Self-service automation portal 2.1",
          "product_id": "Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
        },
        "product_reference": "registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64",
        "relates_to_product_reference": "Self-service automation portal 2.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-61140",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-01-28T17:00:46.678419+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2433946"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jsonpath. The `value` function is vulnerable to Prototype Pollution, a type of vulnerability that allows an attacker to inject or modify properties of an object\u0027s prototype. This can lead to various impacts, including arbitrary code execution, privilege escalation, or denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-61140"
        },
        {
          "category": "external",
          "summary": "RHBZ#2433946",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433946"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-61140",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-61140"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61140"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d",
          "url": "https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d"
        },
        {
          "category": "external",
          "summary": "https://github.com/dchester/jsonpath",
          "url": "https://github.com/dchester/jsonpath"
        }
      ],
      "release_date": "2026-01-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-02-05T18:57:03+00:00",
          "details": "For more about Ansible plugins for Red Hat Developer Hub, see References links",
          "product_ids": [
            "Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:2181"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Self-service automation portal 2.1:registry.redhat.io/ansible-automation-platform/automation-portal@sha256:140ed733a2820c7087000878f99ca3010613743ccc43c667956dc1d74302fd76_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "jsonpath: jsonpath: Prototype Pollution vulnerability in the value function"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.