Moderate severityNVD Advisory· Published Nov 14, 2023· Updated Nov 20, 2025
Hub: insecure galaxy-importer tarfile extraction
CVE-2023-5189
Description
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
galaxy-importerPyPI | <= 0.4.16 | — |
Affected products
4- cpe:/a:redhat:ansible_automation_platform:2.4::el8Range: 0:0.4.18-1.el9ap
- Red Hat/Red Hat Satellite 6.14 for RHEL 8v5cpe:/a:redhat:satellite:6.14::el8Range: 0:0.4.18-2.el8pc
- Red Hat/Red Hat Satellite 6.15 for RHEL 8v5cpe:/a:redhat:satellite_utils:6.15::el8Range: 0:0.4.19-2.el8pc
Patches
Vulnerability mechanics
References
8- access.redhat.com/errata/RHSA-2023:7773ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:1536ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:2010ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-55g2-vm3q-7w52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5189ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-5189ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/ansible/galaxy-importer/blob/2c5c7c05fdfb0835878234b36de32902c703616d/galaxy_importer/collection.pyghsaWEB
News mentions
0No linked articles in our index yet.