SB2020012036 - Fedora EPEL 8 update for ansible
Published: January 20, 2020 Updated: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2019-14856)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
2) Input validation error (CVE-ID: CVE-2019-10206)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
3) OS Command Injection (CVE-ID: CVE-2019-14904)
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing zone names within the solaris_zone module. A remote uuser can provide a specially crafted zone name as a parameter to the os.system() call and execute arbitrary OS commands on the target system.
4) OS Command Injection (CVE-ID: CVE-2019-14905)
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to incorrect validation of filenames within the nxos_file_copy module when copying files to a flash or bootflash on NXOS devices using the remote_file parameter. A local user or malicious code can abuse this functionality to inject and execute arbitrary OS commands on the system with elevated privileges.
Remediation
Install update from vendor's website.