CVE-2019-14905: A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy…

medium5.6CVSS 3.1

AVLACLPRHUINSUCHILAL

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

Affected

22 ranges

Vendor	Product	Version range	Fixed in
debian	ansible	< ansible 2.9.4+dfsg-1 (bookworm)	ansible 2.9.4+dfsg-1 (bookworm)
fedoraproject	fedora	—	—
opensuse	backports_sle	—	—
opensuse	leap	—	—
red_hat	ansible	—	—
red_hat	ansible	—	—
red_hat	ansible	—	—
red_hat	ansible	—	—
redhat	ansible	>= 0 < 2.9.4+dfsg-1	2.9.4+dfsg-1
redhat	ansible	>= 0 < 2.9.4+dfsg-1	2.9.4+dfsg-1
redhat	ansible	>= 0 < 2.9.4+dfsg-1	2.9.4+dfsg-1
redhat	ansible	>= 0 < 2.9.4+dfsg-1	2.9.4+dfsg-1
redhat	ansible	>= 2.7.0a1 < 2.7.16	2.7.16
redhat	ansible	>= 2.8.0a1 < 2.8.8	2.8.8
redhat	ansible	>= 2.9.0a1 < 2.9.3	2.9.3
redhat	ansible_engine	>= 2.7.0 < 2.7.16	2.7.16
redhat	ansible_engine	>= 2.8.0 < 2.8.8	2.8.8
redhat	ansible_engine	>= 2.9.0 < 2.9.3	2.9.3
redhat	ansible_tower	—	—
redhat	ceph_storage	—	—
redhat	cloudforms_management_engine	—	—
redhat	openstack	—	—

CVSS provenance

nvdv3.15.6MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

osv5.6MEDIUM