Mageia: 2020-0060 Moderate: Ansible Zone Naming Command Injection
mageia
January 28, 2020
A flaw was found in the solaris_zone module from the Ansible Community modules
Summary
A flaw was found in the solaris_zone module from the Ansible Community
modules. When setting the name for the zone on the Solaris host, the
zone name is checked by listing the process with the 'ps' bare command
on the remote machine. An attacker could take advantage of this flaw by
crafting the name of the zone and executing arbitrary commands in the
remote host (CVE-2019-14904).
A vulnerability in Ansible's nxos_file_copy module can be used to copy
files to a flash or bootflash on NXOS devices. Malicious code could
craft the filename parameter to perform OS command injections. This
could result in a loss of confidentiality of the system among other
issues (CVE-2019-14905).
References
- https://bugs.mageia.org/show_bug.cgi?id=26125
- https://github.com/ansible/ansible/blob/v2.7.16/changelogs/CHANGELOG-v2.7.rst
- https://access.redhat.com/errata/RHSA-2020:0217
- https://www.cve.org/CVERecord?id=CVE-2019-14904
- https://www.cve.org/CVERecord?id=CVE-2019-14905
Resolution
SRPMS
- 7/core/ansible-2.7.16-1.mga7
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 28 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0060.html
Type: security
CVE: CVE-2019-14904,
CVE-2019-14905
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!