CVE-2019-14904
HIGHAnsible < 2.7.15 - OS Command Injection via Solaris Zone Name Parameter
Title source: llmDescription
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1776944
Patch, Third Party Advisory x_refsource_misc
https://github.com/ansible/ansible/pull/65686
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4950
Scores
CVSS v3
7.3
EPSS
0.0004
EPSS Percentile
11.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
Details
CWE
CWE-78
CWE-20
Status
published
Products (4)
debian/debian_linux
9.0
debian/debian_linux
10.0
pypi/ansible
0 - 2.7.16PyPI
redhat/ansible
< 2.7.15
Published
Aug 26, 2020
Tracked Since
Feb 18, 2026