CVE-2019-14905

MEDIUM

Redhat Ansible Engine < 2.7.16 - Command Injection

Title source: rule

Description

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

References (6)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

[Patch, Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0216

[Patch, Vendor Advisory] https://access.redhat.com/errata/RHSA-2020:0218

[Issue Tracking, Patch, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/

Scores

CVSS v3 5.6

EPSS 0.0005

EPSS Percentile 15.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Classification

CWE

CWE-668 CWE-20 CWE-73

Status published

Affected Products (9)

redhat/ansible_engine < 2.7.16

redhat/ansible_tower

redhat/ceph_storage

redhat/cloudforms_management_engine

redhat/openstack

fedoraproject/fedora

opensuse/backports_sle

opensuse/leap

pypi/ansible < 2.7.16PyPI

Timeline

Published Mar 31, 2020

Tracked Since Feb 18, 2026