CVE-2025-7738
📋 TL;DR
CVE-2025-7738 exposes GitHub Enterprise client secrets in clear text through Ansible Automation Platform's Gateway API. This affects administrators and auditors accessing authenticator configurations, potentially leading to credential leaks. While access is restricted to privileged users, the plaintext exposure increases risk of accidental disclosure or misuse.
💻 Affected Systems
- Ansible Automation Platform
- django-ansible-base
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Compromised administrator credentials lead to GitHub Enterprise account takeover, enabling unauthorized access to source code, CI/CD pipelines, and sensitive repositories.
Likely Case
Accidental credential exposure through logs, screenshots, or misconfigured monitoring tools, potentially leading to credential harvesting by internal or external actors.
If Mitigated
Limited impact with proper access controls, audit logging, and credential rotation, though clear text exposure remains a security hygiene issue.
🎯 Exploit Status
Exploitation requires authenticated administrative access to AAP Gateway API endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat Security Advisory RHSA-2025:12772 for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:12772
Restart Required: Yes
Instructions:
1. Update Ansible Automation Platform to the patched version specified in RHSA-2025:12772. 2. Restart AAP services. 3. Verify GitHub Enterprise authenticator configurations no longer expose secrets in clear text.
🔧 Temporary Workarounds
Restrict API Access
allLimit access to Gateway API endpoints to only essential administrative users.
Rotate GitHub Enterprise Credentials
allImmediately rotate any exposed GitHub Enterprise client secrets.
🧯 If You Can't Patch
- Implement strict access controls and audit logging for all administrative API access.
- Monitor and alert on any access to authenticator configuration endpoints.
🔍 How to Verify
Check if Vulnerable:
Check if GitHub Enterprise authenticator configurations return client secrets in clear text via Gateway API endpoints.Check Version:
ansible --version or check AAP control plane version via web UI/APIVerify Fix Applied:
After patching, verify that client secrets are no longer exposed in clear text through the API.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to Gateway API authenticator endpoints
- Administrative user accessing GitHub Enterprise configuration
Network Indicators:
- API requests to /api/v2/authenticators/ endpoints with GitHub Enterprise parameters
SIEM Query:
source="aap_gateway" AND (uri_path="/api/v2/authenticators/" OR uri_path CONTAINS "github")🔗 References
- https://access.redhat.com/errata/RHSA-2025:12772
- https://access.redhat.com/security/cve/CVE-2025-7738
- https://bugzilla.redhat.com/show_bug.cgi?id=2381589
- https://github.com/ansible/django-ansible-base/commit/e241ea4dce8df577eda15301e0a8e61be647b27b
- https://github.com/ansible/django-ansible-base/pull/773
