OS Command Injection Vulnerability in Ansible Engine by Red Hat
CVE-2019-14905

7.3HIGH

Key Information:

Vendor
Red Hat
Status
Ansible
Vendor
CVE Published:
31 March 2020

Summary

A vulnerability exists in specific versions of Ansible Engine, where the nxos_file_copy module allows attackers to manipulate the filename parameter. This exploitation can lead to OS command injections, potentially compromising system confidentiality and integrity on NXOS devices. The affected versions are vulnerable before their respective patch releases, highlighting the importance of updating to secure system environments.

Affected Version(s)

Ansible 2.9.x before 2.9.3

Ansible 2.8.x before 2.8.8

Ansible 2.7.x before 2.7.16

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2020:0218
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2020:0216
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.