Vulnerabilities > CVE-2019-14905 - Exposure of Resource to Wrong Sphere vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
LOW Availability impact
LOW Summary
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0215.NASL description An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.9.4) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.9.4/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 133246 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133246 title RHEL 7 / 8 : Ansible (RHSA-2020:0215) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0215. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133246); script_version("1.2"); script_cvs_date("Date: 2020/01/30"); script_cve_id("CVE-2019-14904", "CVE-2019-14905"); script_xref(name:"RHSA", value:"2020:0215"); script_name(english:"RHEL 7 / 8 : Ansible (RHSA-2020:0215)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for ansible is now available for Ansible Engine 2.9 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.9.4) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.9.4/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0215" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14904" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14905" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible and / or ansible-test packages." ); script_set_attribute(attribute:"risk_factor", value:"Medium"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(7|8)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x / 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0215"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"ansible-2.9") || rpm_exists(release:"RHEL8", rpm:"ansible-2.9"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Red Hat Ansible 2.9"); if (rpm_check(release:"RHEL7", reference:"ansible-2.9.4-1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"ansible-test-2.9.4-1.el7")) flag++; if (rpm_check(release:"RHEL8", reference:"ansible-2.9.4-1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"ansible-test-2.9.4-1.el8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible / ansible-test"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0216.NASL description An update for ansible is now available for Ansible Engine 2.8 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.8.8) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.8.8/changelogs/CHANGELOG-v2 .8.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 133247 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133247 title RHEL 7 / 8 : Ansible (RHSA-2020:0216) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0216. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133247); script_version("1.2"); script_cvs_date("Date: 2020/01/30"); script_cve_id("CVE-2019-14904", "CVE-2019-14905"); script_xref(name:"RHSA", value:"2020:0216"); script_name(english:"RHEL 7 / 8 : Ansible (RHSA-2020:0216)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An update for ansible is now available for Ansible Engine 2.8 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.8.8) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.8.8/changelogs/CHANGELOG-v2 .8.rst for details on bug fixes in this release." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0216" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14904" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14905" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_attribute(attribute:"risk_factor", value:"Medium"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(7|8)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x / 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0216"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"ansible-2.8") || rpm_exists(release:"RHEL8", rpm:"ansible-2.8"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "Red Hat Ansible 2.8"); if (rpm_check(release:"RHEL7", reference:"ansible-2.8.8-1.el7")) flag++; if (rpm_check(release:"RHEL8", reference:"ansible-2.8.8-1.el8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); } }NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-513.NASL description This update for ansible to version 2.9.6 fixes the following issues : Security issues fixed : - CVE-2019-14904: Fixed a vulnerability in solaris_zone module via crafted solaris zone (boo#1157968). - CVE-2019-14905: Fixed an issue where malicious code could craft filename in nxos_file_copy module (boo#1157969). - CVE-2019-14864: Fixed Splunk and Sumologic callback plugins leak sensitive data in logs (boo#1154830). - CVE-2019-14846: Fixed secrets disclosure on logs due to display is hardcoded to DEBUG level (boo#1153452) - CVE-2019-14856: Fixed insufficient fix for CVE-2019-10206 (boo#1154232) - CVE-2019-14858: Fixed data in the sub parameter fields that will not be masked and will be displayed when run with increased verbosity (boo#1154231) - CVE-2019-10206: ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. (boo#1142690) - CVE-2019-10217: Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. (boo#1144453) last seen 2020-04-17 modified 2020-04-14 plugin id 135454 published 2020-04-14 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135454 title openSUSE Security Update : ansible (openSUSE-2020-513) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0218.NASL description An update for ansible is now available for Ansible Engine 2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.9.4) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.9.4/changelogs/CHANGELOG-v2 .9.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 133249 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133249 title RHEL 7 / 8 : Ansible (RHSA-2020:0218) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0217.NASL description An update for ansible is now available for Ansible Engine 2.7 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. The following packages have been upgraded to a newer upstream version: ansible (2.7.16) Bug Fix(es) : * CVE-2019-14904 Ansible: vulnerability in solaris_zone module via crafted solaris zone * CVE-2019-14905 Ansible: malicious code could craft filename in nxos_file_copy module See: https://github.com/ansible/ansible/blob/v2.7.16/changelogs/ CHANGELOG-v2.7.rst for details on bug fixes in this release. last seen 2020-06-01 modified 2020-06-02 plugin id 133248 published 2020-01-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133248 title RHEL 7 : Ansible (RHSA-2020:0217) NASL family Fedora Local Security Checks NASL id FEDORA_2020-2BED89517F.NASL description Update to bugfix release 2.9.3. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-09 modified 2020-01-31 plugin id 133367 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133367 title Fedora 30 : ansible (2020-2bed89517f) NASL family Fedora Local Security Checks NASL id FEDORA_2020-CAF7F7D0D9.NASL description Update to bugfix release 2.9.3. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-04-10 modified 2020-01-31 plugin id 133374 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133374 title Fedora 31 : ansible (2020-caf7f7d0d9)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://access.redhat.com/errata/RHSA-2020:0218
- https://access.redhat.com/errata/RHSA-2020:0216
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR/