CVE-2019-14905
Severity
5.6MEDIUM
EPSS
0.1%
top 84.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 31
Latest updateApr 20
Description
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:LExploitability: 0.8 | Impact: 4.7
Affected Packages10 packages
Also affects: Fedora 30
Patches
🔴Vulnerability Details
4GHSA▶
Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible↗2021-04-20
OSV▶
Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible↗2021-04-20
📋Vendor Advisories
2💬Community
4Bugzilla▶
CVE-2019-14905 ansible: malicious code could craft filename in nxos_file_copy module [epel-all]↗2019-11-28
Bugzilla▶
CVE-2019-14905 ansible: malicious code could craft filename in nxos_file_copy module [openstack-rdo]↗2019-11-28
Bugzilla▶
CVE-2019-14905 ansible: malicious code could craft filename in nxos_file_copy module [fedora-all]↗2019-11-28
Bugzilla
▶