{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5189", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-26T05:27:24.004Z", "datePublished": "2023-11-14T22:57:00.584Z", "dateUpdated": "2024-09-16T16:14:02.269Z"}, "containers": {"cna": {"title": "Hub: insecure galaxy-importer tarfile extraction", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3x-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.18-1.el8ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.18-1.el9ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.18-2.el8pc", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.18-2.el8pc", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.15 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.19-2.el8pc", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_utils:6.15::el8", "cpe:/a:redhat:satellite_maintenance:6.15::el8", "cpe:/a:redhat:satellite:6.15::el8", "cpe:/a:redhat:satellite_capsule:6.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Satellite 6.15 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python-galaxy-importer", "defaultStatus": "affected", "versions": [{"version": "0:0.4.19-2.el8pc", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:satellite_utils:6.15::el8", "cpe:/a:redhat:satellite_maintenance:6.15::el8", "cpe:/a:redhat:satellite:6.15::el8", "cpe:/a:redhat:satellite_capsule:6.15::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7773", "name": "RHSA-2023:7773", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1536", "name": "RHSA-2024:1536", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2010", "name": "RHSA-2024:2010", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5189", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387", "name": "RHBZ#2234387", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-09-26T05:28:00+00:00", "timeline": [{"lang": "en", "time": "2023-08-23T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-26T05:28:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T16:14:02.269Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.227Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7773", "name": "RHSA-2023:7773", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1536", "name": "RHSA-2024:1536", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2010", "name": "RHSA-2024:2010", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5189", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387", "name": "RHBZ#2234387", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T14:15:00.429640Z", "id": "CVE-2023-5189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:16:10.546Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7773", "name": "RHSA-2023:7773", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1536", "name": "RHSA-2024:1536", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2010", "name": "RHSA-2024:2010", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5189", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387", "name": "RHBZ#2234387", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:52:08.227Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T14:15:00.429640Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T14:15:51.850Z"}}], "cna": {"title": "Hub: insecure galaxy-importer tarfile extraction", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el9"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.4.18-1.el8ap", "lessThan": "*", "versionType": "rpm"}], "packageName": "python3x-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el9"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:0.4.18-1.el9ap", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8"], "vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.4.18-2.el8pc", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:satellite_utils:6.14::el8", "cpe:/a:redhat:satellite_capsule:6.14::el8", "cpe:/a:redhat:satellite:6.14::el8"], "vendor": "Red Hat", "product": "Red Hat Satellite 6.14 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.4.18-2.el8pc", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:satellite_utils:6.15::el8", "cpe:/a:redhat:satellite_maintenance:6.15::el8", "cpe:/a:redhat:satellite:6.15::el8", "cpe:/a:redhat:satellite_capsule:6.15::el8"], "vendor": "Red Hat", "product": "Red Hat Satellite 6.15 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.4.19-2.el8pc", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:satellite_utils:6.15::el8", "cpe:/a:redhat:satellite_maintenance:6.15::el8", "cpe:/a:redhat:satellite:6.15::el8", "cpe:/a:redhat:satellite_capsule:6.15::el8"], "vendor": "Red Hat", "product": "Red Hat Satellite 6.15 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:0.4.19-2.el8pc", "lessThan": "*", "versionType": "rpm"}], "packageName": "python-galaxy-importer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2023-08-23T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-26T05:28:00+00:00", "value": "Made public."}], "datePublic": "2023-09-26T05:28:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7773", "name": "RHSA-2023:7773", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1536", "name": "RHSA-2024:1536", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2010", "name": "RHSA-2024:2010", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5189", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387", "name": "RHBZ#2234387", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T16:14:02.269Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5189", "state": "PUBLISHED", "dateUpdated": "2024-09-16T16:14:02.269Z", "dateReserved": "2023-09-26T05:27:24.004Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-11-14T22:57:00.584Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B4BE2D6-43C3-4065-A213-5DB1325DC78F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:satellite:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "848C92A9-0677-442B-8D52-A448F2019903", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten."}, {"lang": "es", "value": "Existe una vulnerabilidad de path traversal en Ansible al extraer archivos comprimidos. Un atacante podr\u00eda crear un tarball malicioso para que, al utilizar el importador galaxy de Ansible Automation Hub, se pueda colocar un enlace simb\u00f3lico en el disco, lo que provocar\u00eda la sobrescritura de los archivos."}], "id": "CVE-2023-5189", "lastModified": "2024-04-25T15:16:02.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-11-14T23:15:12.290", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7773"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1536"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2010"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5189"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7773", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-galaxy-importer-0:0.4.18-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2023-12-13T00:00:00Z"}, {"advisory": "RHSA-2023:7773", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-galaxy-importer-0:0.4.18-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2023-12-13T00:00:00Z"}, {"advisory": "RHSA-2024:1536", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "python-galaxy-importer-0:0.4.18-2.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:1536", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "python-galaxy-importer-0:0.4.18-2.el8pc", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2024-03-27T00:00:00Z"}, {"advisory": "RHSA-2024:2010", "cpe": "cpe:/a:redhat:satellite:6.15::el8", "package": "python-galaxy-importer-0:0.4.19-2.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-04-23T00:00:00Z"}, {"advisory": "RHSA-2024:2010", "cpe": "cpe:/a:redhat:satellite_capsule:6.15::el8", "package": "python-galaxy-importer-0:0.4.19-2.el8pc", "product_name": "Red Hat Satellite 6.15 for RHEL 8", "release_date": "2024-04-23T00:00:00Z"}], "bugzilla": {"description": "Hub: insecure galaxy-importer tarfile extraction", "id": "2234387", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234387"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N", "status": "verified"}, "details": ["A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.", "A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten."], "name": "CVE-2023-5189", "public_date": "2023-09-26T05:28:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5189\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5189"], "threat_severity": "Moderate"}