CVE-2023-5189 (GCVE-0-2023-5189)

Vulnerability from cvelistv5 – Published: 2023-11-14 22:57 – Updated: 2025-11-20 17:30
VLAI?
Title
Hub: insecure galaxy-importer tarfile extraction
Summary
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
CWE
  • CWE-23 - Relative Path Traversal
Assigner
References
https://access.redhat.com/errata/RHSA-2023:7773 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1536 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2010 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-5189 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2234387 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 8 Unaffected: 0:0.4.18-1.el8ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9
    cpe:/a:redhat:ansible_automation_platform:2.4::el9
 Create a notification for this product.
    Red Hat Red Hat Ansible Automation Platform 2.4 for RHEL 9 Unaffected: 0:0.4.18-1.el9ap , < * (rpm)
    cpe:/a:redhat:ansible_automation_platform:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8
    cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9
    cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9
    cpe:/a:redhat:ansible_automation_platform:2.4::el9
 Create a notification for this product.
    Red Hat Red Hat Satellite 6.14 for RHEL 8 Unaffected: 0:0.4.18-2.el8pc , < * (rpm)
    cpe:/a:redhat:satellite:6.14::el8
    cpe:/a:redhat:satellite_capsule:6.14::el8
    cpe:/a:redhat:satellite_utils:6.14::el8
 Create a notification for this product.
    Red Hat Red Hat Satellite 6.14 for RHEL 8 Unaffected: 0:0.4.18-2.el8pc , < * (rpm)
    cpe:/a:redhat:satellite:6.14::el8
    cpe:/a:redhat:satellite_capsule:6.14::el8
    cpe:/a:redhat:satellite_utils:6.14::el8
 Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:0.4.19-2.el8pc , < * (rpm)
    cpe:/a:redhat:satellite_utils:6.15::el8
    cpe:/a:redhat:satellite_capsule:6.15::el8
    cpe:/a:redhat:satellite:6.15::el8
    cpe:/a:redhat:satellite_maintenance:6.15::el8
 Create a notification for this product.
    Red Hat Red Hat Satellite 6.15 for RHEL 8 Unaffected: 0:0.4.19-2.el8pc , < * (rpm)
    cpe:/a:redhat:satellite_utils:6.15::el8
    cpe:/a:redhat:satellite_capsule:6.15::el8
    cpe:/a:redhat:satellite:6.15::el8
    cpe:/a:redhat:satellite_maintenance:6.15::el8
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:52:08.227Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:7773",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7773"
          },
          {
            "name": "RHSA-2024:1536",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:1536"
          },
          {
            "name": "RHSA-2024:2010",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2010"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-5189"
          },
          {
            "name": "RHBZ#2234387",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5189",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-29T14:15:00.429640Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T14:16:10.546Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "python3x-galaxy-importer",
          "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.18-1.el8ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
            "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
            "cpe:/a:redhat:ansible_automation_platform:2.4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "python-galaxy-importer",
          "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.18-1.el9ap",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6.14::el8",
            "cpe:/a:redhat:satellite_capsule:6.14::el8",
            "cpe:/a:redhat:satellite_utils:6.14::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "python-galaxy-importer",
          "product": "Red Hat Satellite 6.14 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.18-2.el8pc",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite:6.14::el8",
            "cpe:/a:redhat:satellite_capsule:6.14::el8",
            "cpe:/a:redhat:satellite_utils:6.14::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "python-galaxy-importer",
          "product": "Red Hat Satellite 6.14 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.18-2.el8pc",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite_utils:6.15::el8",
            "cpe:/a:redhat:satellite_capsule:6.15::el8",
            "cpe:/a:redhat:satellite:6.15::el8",
            "cpe:/a:redhat:satellite_maintenance:6.15::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "python-galaxy-importer",
          "product": "Red Hat Satellite 6.15 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.19-2.el8pc",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:satellite_utils:6.15::el8",
            "cpe:/a:redhat:satellite_capsule:6.15::el8",
            "cpe:/a:redhat:satellite:6.15::el8",
            "cpe:/a:redhat:satellite_maintenance:6.15::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "python-galaxy-importer",
          "product": "Red Hat Satellite 6.15 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.4.19-2.el8pc",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "datePublic": "2023-09-26T05:28:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "Relative Path Traversal",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T17:30:17.896Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7773",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7773"
        },
        {
          "name": "RHSA-2024:1536",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:1536"
        },
        {
          "name": "RHSA-2024:2010",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2010"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-5189"
        },
        {
          "name": "RHBZ#2234387",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-08-23T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-26T05:28:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Hub: insecure galaxy-importer tarfile extraction",
      "x_redhatCweChain": "CWE-23: Relative Path Traversal"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-5189",
    "datePublished": "2023-11-14T22:57:00.584Z",
    "dateReserved": "2023-09-26T05:27:24.004Z",
    "dateUpdated": "2025-11-20T17:30:17.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B4BE2D6-43C3-4065-A213-5DB1325DC78F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"848C92A9-0677-442B-8D52-A448F2019903\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de path traversal en Ansible al extraer archivos comprimidos. Un atacante podr\\u00eda crear un tarball malicioso para que, al utilizar el importador galaxy de Ansible Automation Hub, se pueda colocar un enlace simb\\u00f3lico en el disco, lo que provocar\\u00eda la sobrescritura de los archivos.\"}]",
      "id": "CVE-2023-5189",
      "lastModified": "2024-12-06T11:15:07.380",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2023-11-14T23:15:12.290",
      "references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2023:7773\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1536\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2010\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2023-5189\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2023:7773\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1536\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2010\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2023-5189\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-23\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-5189\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2023-11-14T23:15:12.290\",\"lastModified\":\"2024-12-06T11:15:07.380\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de path traversal en Ansible al extraer archivos comprimidos. Un atacante podr\u00eda crear un tarball malicioso para que, al utilizar el importador galaxy de Ansible Automation Hub, se pueda colocar un enlace simb\u00f3lico en el disco, lo que provocar\u00eda la sobrescritura de los archivos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B4BE2D6-43C3-4065-A213-5DB1325DC78F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"848C92A9-0677-442B-8D52-A448F2019903\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2023:7773\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1536\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2010\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-5189\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2023:7773\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:1536\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2024:2010\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-5189\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2023:7773\", \"name\": \"RHSA-2023:7773\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1536\", \"name\": \"RHSA-2024:1536\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2010\", \"name\": \"RHSA-2024:2010\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2023-5189\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\", \"x_transferred\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\", \"name\": \"RHBZ#2234387\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:52:08.227Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-5189\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-29T14:15:00.429640Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-29T14:15:51.850Z\"}}], \"cna\": {\"title\": \"Hub: insecure galaxy-importer tarfile extraction\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform:2.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.4 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.18-1.el8ap\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python3x-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ansible_automation_platform:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8\", \"cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9\", \"cpe:/a:redhat:ansible_automation_platform:2.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ansible Automation Platform 2.4 for RHEL 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.18-1.el9ap\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6.14::el8\", \"cpe:/a:redhat:satellite_capsule:6.14::el8\", \"cpe:/a:redhat:satellite_utils:6.14::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6.14 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.18-2.el8pc\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite:6.14::el8\", \"cpe:/a:redhat:satellite_capsule:6.14::el8\", \"cpe:/a:redhat:satellite_utils:6.14::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6.14 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.18-2.el8pc\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite_utils:6.15::el8\", \"cpe:/a:redhat:satellite_capsule:6.15::el8\", \"cpe:/a:redhat:satellite:6.15::el8\", \"cpe:/a:redhat:satellite_maintenance:6.15::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6.15 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.19-2.el8pc\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:satellite_utils:6.15::el8\", \"cpe:/a:redhat:satellite_capsule:6.15::el8\", \"cpe:/a:redhat:satellite:6.15::el8\", \"cpe:/a:redhat:satellite_maintenance:6.15::el8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Satellite 6.15 for RHEL 8\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:0.4.19-2.el8pc\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"python-galaxy-importer\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2023-08-23T00:00:00+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2023-09-26T05:28:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2023-09-26T05:28:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2023:7773\", \"name\": \"RHSA-2023:7773\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:1536\", \"name\": \"RHSA-2024:1536\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2024:2010\", \"name\": \"RHSA-2024:2010\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2023-5189\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2234387\", \"name\": \"RHBZ#2234387\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-20T17:30:17.896Z\"}, \"x_redhatCweChain\": \"CWE-23: Relative Path Traversal\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-5189\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T17:30:17.896Z\", \"dateReserved\": \"2023-09-26T05:27:24.004Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2023-11-14T22:57:00.584Z\", \"assignerShortName\": \"redhat\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}