PT-2020-6246 · Ansible+5 · Ansible Engine+6

Abhijeet Kasurde

+1

·

Published

2020-01-28

·

Updated

2026-06-03

·

CVE-2019-14904

CVSS v4.0

8.3

High

VectorAV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.15 through 2.9.2 and all previous versions
Description A flaw was found in the solaris zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host.
Recommendations For Ansible Engine versions 2.7.15 through 2.9.2 and all previous versions, consider disabling the solaris zone module until a patch is available to prevent exploitation. Restrict access to the remote host to minimize the risk of arbitrary command execution. Avoid using the 'ps' command for zone name checks in the solaris zone module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-78

Related Identifiers

ALT-PU-2020-1453
ALT-PU-2020-1490
BDU:2021-03714
CVE-2019-14904
DLA-2535-1
DSA-4950-1
GHSA-GWR8-5J83-483C
MGASA-2020-0060
OESA-2021-1349
OESA-2022-1950
OPENSUSE-SU-2020:0513-1
OPENSUSE-SU-2020:0523-1
OPENSUSE-SU-2020_0513-1
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
OPENSUSE-SU-2026:10944-1
PYSEC-2020-161
RHSA-2020:0215
RHSA-2020:0216
RHSA-2020:0217
RHSA-2020:0218
SUSE-SU-2020:3309-1
USN-7330-1
USN-7330-2

Affected Products

Alt Linux
Ansible-Core
Ansible Engine
Astra Linux
Linuxmint
Suse
Ubuntu