1. CVE-Search
  2. CVE-2019-14905
ID CVE-2019-14905
Summary A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:ansible_engine:2.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.10:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.10:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.11:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.11:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.12:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.12:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.13:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.13:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.14:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.14:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.7.15:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.7.15:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_engine:2.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_engine:2.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  • cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVSS
Base: 4.6 (as of 02-11-2021 - 18:09)
Impact:
Exploitability:
CWE CWE-668
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2020:0216
  • rhsa
    id RHSA-2020:0218
rpms
  • ansible-0:2.9.4-1.el7ae
  • ansible-0:2.9.4-1.el8ae
  • ansible-test-0:2.9.4-1.el7ae
  • ansible-test-0:2.9.4-1.el8ae
  • ansible-0:2.8.8-1.el7ae
  • ansible-0:2.8.8-1.el8ae
  • ansible-0:2.7.16-1.el7ae
  • ansible-0:2.9.4-1.el7ae
  • ansible-0:2.9.4-1.el8ae
  • ansible-test-0:2.9.4-1.el7ae
  • ansible-test-0:2.9.4-1.el8ae
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
fedora FEDORA-2020-2bed89517f
suse
  • openSUSE-SU-2020:0513
  • openSUSE-SU-2020:0523
Last major update 02-11-2021 - 18:09
Published 31-03-2020 - 17:15
Last modified 02-11-2021 - 18:09
Back to Top