CVE-2023-5189 Hub: insecure galaxy-importer tarfile extraction

🗓️ 14 Nov 2023 22:57:00Reported by redhatType

Insecure tarfile extraction in Ansible Automation Hub

Reporter	Title	Published	Views	Family All 31
BDU FSTEC	The vulnerability of the Red Hat Ansible configuration management system lies in the incorrect limitation of the path name to the restricted access directory, allowing a hacker to re-record arbitrary files.	26 Sep 202300:00	–	bdu_fstec
Circl	CVE-2023-5189	30 Aug 202507:23	–	circl
CNNVD	Red Hat Ansible Automation Security Vulnerability	26 Sep 202300:00	–	cnnvd
CVE	CVE-2023-5189	14 Nov 202322:57	–	cve
Debian CVE	CVE-2023-5189	14 Nov 202322:57	–	debiancve
EUVD	EUVD-2023-2886	3 Oct 202520:07	–	euvd
Github Security Blog	Ansible galaxy-importer Path Traversal vulnerability	15 Nov 202300:31	–	github
NVD	CVE-2023-5189	14 Nov 202323:15	–	nvd
OSV	CVE-2023-5189	14 Nov 202323:15	–	osv
OSV	GHSA-55G2-VM3Q-7W52 Ansible galaxy-importer Path Traversal vulnerability	15 Nov 202300:31	–	osv

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python3x-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.18-1.el8ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.18-1.el9ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Satellite 6.14 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.18-2.el8pc",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:satellite:6.14::el8",
      "cpe:/a:redhat:satellite_capsule:6.14::el8",
      "cpe:/a:redhat:satellite_utils:6.14::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Satellite 6.14 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.18-2.el8pc",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:satellite:6.14::el8",
      "cpe:/a:redhat:satellite_capsule:6.14::el8",
      "cpe:/a:redhat:satellite_utils:6.14::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Satellite 6.15 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.19-2.el8pc",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:satellite_utils:6.15::el8",
      "cpe:/a:redhat:satellite_capsule:6.15::el8",
      "cpe:/a:redhat:satellite:6.15::el8",
      "cpe:/a:redhat:satellite_maintenance:6.15::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Satellite 6.15 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "python-galaxy-importer",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:0.4.19-2.el8pc",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:satellite_utils:6.15::el8",
      "cpe:/a:redhat:satellite_capsule:6.15::el8",
      "cpe:/a:redhat:satellite:6.15::el8",
      "cpe:/a:redhat:satellite_maintenance:6.15::el8"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2024:1536
access	www.access.redhat.com/errata/RHSA-2024:2010
access	www.access.redhat.com/security/cve/CVE-2023-5189
access	www.access.redhat.com/errata/RHSA-2023:7773
bugzilla	www.bugzilla.redhat.com/show_bug.cgi

20 Nov 2025 17:30Current

6.5Medium risk

Vulners AI Score6.5

CVSS 3.16.3

EPSS0.008

CWE-23