CVE-2023-5189 is a path traversal vulnerability identified in Red Hat Ansible Automation Platform version 2.4 running on Red Hat Enterprise Linux 8. The flaw exists in the galaxy importer component responsible for extracting tarballs. An attacker can craft a malicious tarball containing symbolic links that, when extracted, cause files outside the intended extraction directory to be overwritten. This occurs because the tarball extraction process does not properly sanitize or restrict relative paths or symlink targets, enabling directory traversal attacks. The vulnerability impacts the integrity of the system by allowing unauthorized modification of files, potentially altering automation scripts or configuration files critical to Ansible's operation. The CVSS 3.1 base score is 6.3 (medium), reflecting network attack vector, low attack complexity, required privileges, and user interaction. Confidentiality impact is low, integrity impact is high, and availability is unaffected. No public exploits or active exploitation have been reported as of the publication date. The vulnerability primarily affects environments where the galaxy importer is used to import roles or collections from untrusted sources, which is common in automated deployment pipelines. Proper validation and patching are essential to mitigate risk.

For European organizations, the impact centers on the potential unauthorized modification of automation workflows and configuration files managed by Ansible Automation Platform. This can lead to corrupted or malicious automation tasks, causing operational disruptions or security policy violations. Since Ansible is widely used in enterprise IT environments for configuration management, continuous deployment, and orchestration, exploitation could undermine trust in automated processes and introduce persistent integrity issues. Although availability is not directly impacted, the integrity compromise could cascade into service misconfigurations or security control failures. Organizations in sectors with high reliance on automation, such as finance, telecommunications, manufacturing, and public administration, face increased risk. The requirement for privileges and user interaction limits remote exploitation but insider threats or compromised user accounts could leverage this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the threat of future attacks.

1. Apply official patches or updates from Red Hat as soon as they become available to address CVE-2023-5189. 2. Restrict permissions on directories used by the galaxy importer to minimize the impact of malicious file extraction. 3. Implement strict validation and sanitization of tarball contents before importing, including checking for symlinks and relative paths that could lead to traversal. 4. Use containerization or sandboxing techniques to isolate the extraction process, preventing unauthorized file system modifications. 5. Monitor file integrity and audit logs for unexpected changes in directories used by Ansible Automation Platform. 6. Limit user privileges and enforce the principle of least privilege for accounts interacting with the galaxy importer. 7. Educate administrators and users about the risks of importing untrusted content and encourage use of verified sources. 8. Employ network segmentation to restrict access to Ansible management interfaces and reduce exposure to potential attackers.