CVE-2023-3971 (AAP on RHEL) - awx also affected

[Jörg Bartz]

Dear group,

based on the recent CVE (see subject) found in RHEL AAP I was wondering if someone on this group might as well be in the process of evaluating if this vulnerability does also affect awx, or if it is just something on the AAP.

I totally understand that regular auditing/pen-testing the fast-paced awx is not something that can primarily be done in this group - the possibility of html injection to harvest user credentials is nevertheless something that I think is somehow concerning.

RHEL support is not very talkative about which awx version the vulenrable release is based on, and I was unsuccessful of finding an exploit / PoC in the wild for this CVE.

So, any thoughts, ideas or hints will be much appreciated!

Best regards,

Jörg

[AWX Project]

You are correct, we do not perform auditing/pen-testing on AWX if someone were able to replicate the affects of the CVE and open an issue in GitHub we would attempt to look at it though. That being said, Red Hat is a major contributor to AWX so if they have fixed a CVE I'm sure they would back port it into AWX (if they haven't done so already). Unfortunately, we wouldn't know which patch it was (unless it was specifically mentioned in the PR) and thus can not say which versions of AWX it would go into. Also note, we don't "back port" PRs into older versions of AWX so if you believe you are affected, please upgrade to the latest version.

-The AWX Team