CVE-2019-14905 Detail
Current Description
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Source: MITRE
View Analysis Description
Analysis Description
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Source: MITRE
Severity
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | NIST |
| CWE-73 | External Control of File Name or Path | Red Hat, Inc. |
| CWE-20 | Improper Input Validation | Red Hat, Inc. |
Known Affected Software Configurations Switch to CPE 2.2
Configuration 1 ( hide )
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* Show Matching CPE(s) |
From (including) 2.7.0 |
Up to (excluding) 2.7.16 |
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* Show Matching CPE(s) |
From (including) 2.8.0 |
Up to (excluding) 2.8.8 |
| cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* Show Matching CPE(s) |
From (including) 2.9.0 |
Up to (excluding) 2.9.3 |
Change History
1 change record found – show changes
Initial Analysis – 4/2/2020 9:30:31 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration |
OR
*cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* versions from (including) 2.7.0 up to (excluding) 2.7.16
*cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* versions from (including) 2.8.0 up to (excluding) 2.8.8
*cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* versions from (including) 2.9.0 up to (excluding) 2.9.3
|
|
| Added | CPE Configuration |
OR
*cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:*
*cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
*cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
*cpe:2.3:a:redhat:openstack:13.0:*:*:*:*:*:*:*
|
|
| Added | CPE Configuration |
OR
*cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
|
|
| Added | CVSS V2 |
NIST (AV:L/AC:L/Au:N/C:P/I:P/A:P) |
|
| Added | CVSS V3.1 |
NIST AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L |
|
| Added | CWE |
NIST CWE-610 |
|
| Changed | Reference Type |
https://access.redhat.com/errata/RHSA-2020:0216 No Types Assigned |
https://access.redhat.com/errata/RHSA-2020:0216 Patch, Vendor Advisory |
| Changed | Reference Type |
https://access.redhat.com/errata/RHSA-2020:0218 No Types Assigned |
https://access.redhat.com/errata/RHSA-2020:0218 Patch, Vendor Advisory |
| Changed | Reference Type |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905 No Types Assigned |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905 Issue Tracking, Patch, Vendor Advisory |
| Changed | Reference Type |
https://lists.fedoraproject.org/archives/list/[email protected]/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/ No Types Assigned |
https://lists.fedoraproject.org/archives/list/[email protected]/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/ Mailing List, Patch, Release Notes, Third Party Advisory |
Quick Info
CVE Dictionary Entry:
CVE-2019-14905
NVD Published Date:
03/31/2020
NVD Last Modified:
04/02/2020