Skip to content

Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible

Moderate severity GitHub Reviewed Published Apr 20, 2021 to the GitHub Advisory Database • Updated Sep 5, 2024

Package

pip ansible (pip)

Affected versions

>= 2.7.0a1, < 2.7.16
>= 2.8.0a1, < 2.8.8
>= 2.9.0a1, < 2.9.3

Patched versions

2.7.16
2.8.8
2.9.3

Description

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

References

Published by the National Vulnerability Database Mar 31, 2020
Reviewed Apr 5, 2021
Published to the GitHub Advisory Database Apr 20, 2021
Last updated Sep 5, 2024

Severity

Moderate

EPSS score

0.048%
(19th percentile)

CVE ID

CVE-2019-14905

GHSA ID

GHSA-frxj-5j27-f8rf

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.