7.5

CVE-2026-12398

Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxy_ng. The do_git_checkout() function in the legacy role import API (v1) interpolates unsanitized git ref names (branch/tag names) into shell commands executed via subprocess.run() with shell=True. An authenticated user who controls a git repository can create a branch or tag with shell metacharacters in the name to achieve remote code execution on the pulp worker. The vulnerable endpoint is only reachable when GALAXY_ENABLE_LEGACY_ROLES is set to True, which is not the default configuration.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusunknown
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusunknown
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusunknown
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusunknown
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.89% 0.546
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 7.5 1.6 5.9
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://access.redhat.com/security/cve/CVE-2026-12398
https://bugzilla.redhat.com/show_bug.cgi?id=2489180