CVE-2019-14905 — MEDIUM (5.6)

Q: How severe is CVE-2019-14905?

CVE-2019-14905 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-14905?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Redhat Ceph Storage, Redhat Cloudforms Management Engine, Redhat Openstack.

Vulnerability Description

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

CVSS Score

5.6

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Redhat	Ansible Engine	>= 2.7.0, < 2.7.16
Redhat	Ansible Tower	3.0.0
Redhat	Ceph Storage	3.0
Redhat	Cloudforms Management Engine	5.0
Redhat	Openstack	13
Fedoraproject	Fedora	30
Opensuse	Backports Sle	15.0
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-20 CWE-668 CWE-73

References

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0216PatchVendor Advisory
https://access.redhat.com/errata/RHSA-2020:0218PatchVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905Issue TrackingPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2020:0216PatchVendor Advisory
https://access.redhat.com/errata/RHSA-2020:0218PatchVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905Issue TrackingPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2019-14905?

CVE-2019-14905 is a vulnerability with a CVSS score of 5.6 (MEDIUM). A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a fl...

How severe is CVE-2019-14905?

CVE-2019-14905 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-14905?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Ansible Tower, Redhat Ceph Storage, Redhat Cloudforms Management Engine, Redhat Openstack.