CVE-2019-14905
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
31/03/2020
Last modified:
07/11/2023
Description
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Impact
Base Score 3.x
5.60
Severity 3.x
MEDIUM
Base Score 2.0
4.60
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.7.16 (excluding) |
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* | 2.8.0 (including) | 2.8.8 (excluding) |
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* | 2.9.0 (including) | 2.9.3 (excluding) |
| cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* | ||
| cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:* | ||
| cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://access.redhat.com/errata/RHSA-2020:0216
- https://access.redhat.com/errata/RHSA-2020:0218
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/