CVE-2023-5189 is a relative path traversal vulnerability identified in Red Hat Ansible Automation Platform 2.4 running on RHEL 8. The issue arises during the extraction process of tarballs by the galaxy importer component of the Ansible Automation Hub. An attacker can craft a malicious tarball containing symbolic links that, when extracted, can overwrite arbitrary files on the host filesystem. This occurs because the tarball extraction does not properly sanitize or restrict file paths, allowing traversal outside the intended extraction directory. The vulnerability requires the attacker to have network access to the Ansible Automation Hub and some level of privileges (PR:L), as well as user interaction (UI:R) to trigger the import process. The CVSS v3.1 base score is 6.3, indicating a medium severity level. The impact primarily affects the integrity of the system by enabling unauthorized modification of files, which could lead to altered configurations or compromised automation workflows. Confidentiality impact is limited, and availability is not affected. No public exploits or active exploitation campaigns have been reported to date. This vulnerability highlights the risks associated with improper input validation and path sanitization in automation platforms that handle external content. Given the widespread use of Ansible in enterprise and cloud environments, exploitation could facilitate further attacks or persistence if leveraged by threat actors.

For European organizations, the primary impact of CVE-2023-5189 lies in the potential unauthorized modification of critical configuration and operational files managed by Ansible Automation Platform. This can disrupt automation workflows, cause misconfigurations, or introduce malicious changes that may be leveraged for lateral movement or privilege escalation. Since Ansible is widely used in IT infrastructure automation, compromised integrity could affect multiple systems and services, leading to operational disruptions or security breaches. The vulnerability does not directly impact availability or confidentiality but can indirectly facilitate further attacks. Organizations in sectors with high automation reliance, such as finance, telecommunications, manufacturing, and government, are at greater risk. The requirement for some privileges and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. The absence of known exploits in the wild currently limits immediate risk, but proactive mitigation is essential to prevent future exploitation.

1. Apply official patches or updates from Red Hat as soon as they are released to address CVE-2023-5189. 2. Restrict filesystem permissions on directories used by the galaxy importer to prevent unauthorized write or symlink creation. 3. Implement strict validation and sanitization of tarball contents before extraction, including rejecting tarballs with suspicious or absolute paths and symbolic links. 4. Limit user privileges required to import content into Ansible Automation Hub to trusted administrators only. 5. Monitor logs and file integrity of directories involved in automation workflows for unexpected changes or symlink creations. 6. Consider isolating the Ansible Automation Hub environment using containerization or sandboxing to limit the impact of potential exploitation. 7. Educate administrators on the risks of importing untrusted content and enforce policies to only use verified sources for automation content. 8. Employ network segmentation and access controls to restrict exposure of the Ansible Automation Hub to untrusted networks or users.