No description is available for this CVE. Mitigation Below are the mitigation steps to avoid the flaw from happening, still it is indicated to update the product after the fix is available. 1) set GRPC_SERVER_MAX_THREADS_PER_PROCESS = 1 This mitigates problems going FORWARD for the issue because then there is only one thread using the ExternalAuth() object instantiated by the parent process, this eliminates the thread safety risk as the worker only processes one request at a time. 2) It is possible that at any time since install/upgrade of AAP 2.5, that long lived Oauth tokens created in the components with the endpoints could implicate long term access to a different user's identity/privileges. Requests made with these tokens will appear to be from the user for which they were created and are indistinguishable from “valid” tokens that were created by the correct user: /api/controller/v2/tokens/ /api/controller/v2/applications//tokens/ /api/galaxy/v3/auth/token/ /api/controller/o/token/ Because it is likely not feasible to back trace every request that could have generated a token to its original request in the GRPC server, the most conservative and safe path to mitigate this risk would be to invalidate/revoke all existing oauth tokens in the components (hub, controller,…Read More