CVE-2019-14905
7.3
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
Summary
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Ansible | 2.9.x before 2.9.3 | affected |
| Red Hat | Ansible | 2.8.x before 2.8.8 | affected |
| Red Hat | Ansible | 2.7.x before 2.7.16 | affected |
| Red Hat | Ansible | 2.7.x and earlier | affected |
Weaknesses
- CWE-20: CWE-20
- CWE-73: CWE-73
ADP Enrichment
CVE Program Container
Additional References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
- https://access.redhat.com/errata/RHSA-2020:0218
- https://access.redhat.com/errata/RHSA-2020:0216
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
- https://access.redhat.com/errata/RHSA-2020:0218
- https://access.redhat.com/errata/RHSA-2020:0216
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.