Back to search
CVE-2019-14904
Published: Aug 25, 2020
Modified: Aug 5, 2024
PUBLISHED
Description
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
| Vendor | Product | Versions |
|---|---|---|
n/a | Ansible | affected All versions before ansible-engine 2.9.4, before ansible-engine 2.8.8 and before ansible-engine 2.7.16 |
Weaknesses (CWE)
References
https://bugzilla.redhat.com/show_bug.cgi?id=1776944
x_refsource_MISC
https://github.com/ansible/ansible/pull/65686
x_refsource_MISC
[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update
mailing-list
x_refsource_MLIST
DSA-4950
vendor-advisory
x_refsource_DEBIAN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now