Mageni Mageni Security LLC

Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2019-14905

CVE information

Published

4 years ago

Last Modified

5 months ago

CVSSv2.0 Severity

Medium

CVSSv3.1 Severity

Medium

Impact Analysis

Share

Description

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues..

CVSSv2.0 Score

Severity
Medium
Base Score
4.6/10
Exploit Score
3.9/10
Access Vector
Local
Access Complexity
Low
Authentication Required
None
Impact Score
6.4/10
Confidentiality Impact
Partial
Availability Impact
Partial
Integrity Impact
Partial

CVSSv3.1 Score

Severity
Medium
Base Score
5.6/10
Exploit Score
0.8/10
Access Vector
Local
Access Complexity
Low
Privileges Required
High
Impact Score
4.7/10
Confidentiality Impact
High
Availability Impact
Low
Integrity Impact
Low
Scope
Unchanged
User Interaction
None

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
  Yes
2.7.0 2.7.16
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
  Yes
2.8.0 2.8.8
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
  Yes
2.9.0 2.9.3
cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:
  Yes
- -
cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:redhat:ansible_tower:3.0.0:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  Yes
- -

References