CVE-2023-5189 — Relative Path Traversal in Redhat Ansible Automation Platform

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal6 documents5 sources

Severity

6.5MEDIUMNVD

CNA6.3

EPSS

0.6%

top 29.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Automation Platform Redhat Satellite

Timeline

PublishedNov 14

Latest updateNov 15

Description

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDredhat/ansible_automation_platform2.0

▶NVDredhat/satellite6.0

🔴Vulnerability Details

GHSA

Ansible galaxy-importer Path Traversal vulnerability↗2023-11-15

▶

OSV

Ansible galaxy-importer Path Traversal vulnerability↗2023-11-15

▶

OSV

CVE-2023-5189: A path traversal vulnerability exists in Ansible when extracting tarballs↗2023-11-14

▶

CVEList

Hub: insecure galaxy-importer tarfile extraction↗2023-11-14

▶

📋Vendor Advisories

Red Hat

Hub: insecure galaxy-importer tarfile extraction↗2023-09-26

▶