PT-2020-6675 · Red Hat+2 · Ansible Engine+2

Published

2020-01-28

·

Updated

2026-06-03

·

CVE-2019-14905

CVSS v3.1

7.3

High

VectorAV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.9.x before 2.9.3 Ansible Engine versions 2.8.x before 2.8.8 Ansible Engine versions 2.7.x before 2.7.16 and earlier
Description The issue is related to the nxos file copy module in Ansible, which can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections, potentially resulting in a loss of confidentiality of the system among other issues.
Recommendations For Ansible Engine versions 2.9.x before 2.9.3, update to version 2.9.3 or later. For Ansible Engine versions 2.8.x before 2.8.8, update to version 2.8.8 or later. For Ansible Engine versions 2.7.x before 2.7.16 and earlier, update to version 2.7.16 or later. As a temporary workaround, consider restricting the use of the nxos file copy module until a patch is available. Avoid using the filename parameter in the affected module to minimize the risk of exploitation.

Fix

RCE

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-668CWE-610CWE-73

Related Identifiers

ALT-PU-2020-1453
ALT-PU-2020-1490
BDU:2022-03971
CVE-2019-14905
GHSA-FRXJ-5J27-F8RF
MGASA-2020-0060
OPENSUSE-SU-2020:0513-1
OPENSUSE-SU-2020:0523-1
OPENSUSE-SU-2020_0513-1
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
OPENSUSE-SU-2026:10944-1
PYSEC-2020-206
RHSA-2020:0215
RHSA-2020:0216
RHSA-2020:0217
RHSA-2020:0218
SUSE-SU-2020:3309-1

Affected Products

Alt Linux
Ansible Engine
Suse