Impact
A command injection flaw exists in the legacy role import API of Red Hat Ansible Automation Platform 2. The function responsible for checking out code from a git repository inserts unsanitized git reference names—such as branch or tag identifiers—directly into a shell command invoked with shell=True. An authenticated user who controls the repository can create a reference containing shell metacharacters. When the Galaxy/Hub service is configured to allow legacy role operations (GALAXY_ENABLE_LEGACY_ROLES set to True), the attacker can trigger the vulnerable endpoint and execute arbitrary commands on the Pulp worker, compromising confidentiality, integrity, and availability of the system.
Affected Systems
The vulnerability affects Red Hat Ansible Automation Platform 2, specifically the Galaxy/Hub component that implements legacy role import functionality. The affected installation is identified by the CPE cpe:/a:redhat:ansible_automation_platform:2 and includes all releases of version 2 of the platform.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity risk. The EPSS score of less than 1% suggests a low probability of exploitation in the wild as of the latest assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have authenticated access and to control a git repository whose ref names can be set. The mitigatable configuration parameter GALAXY_ENABLE_LEGACY_ROLES is not enabled by default, so exposure is limited to customers who intentionally enable legacy role support. Nonetheless, the potential impact of remote code execution warrants prompt remediation.
OpenCVE Enrichment
Github GHSA